TRAITwfc COOPERATION EN MATIEKW)E BREVETS 



Expediteur: le BUREAU INTERNATIONAL 



PCT 

NOTIFICATION D'ELECTION 

(regie 61.2 du PCT) 


Destinataire: 

Assistant Commissioner for Patents 
United States Patent and Trademark 
Office 
Box PCT 

Washington, D.C. 20231 
ETATS-UNIS D'AMERIQUE 

en sa qualite d'office elu 


Date d'expedition (jour/mois/annee) 
29 aout 2000 (29.08.00) 


Demande internationale no 
PCT/FR00/00189 


Reference du dossier du deposant ou du mandataire 
5971. WO 


Date du depot international (jour/mois/annee) 

27 janvier2000 (27.01.00) 


Date de priorrte (jour/mois/annee) 
27 janvier 1999 (27.01.99) 


Deposant 

GUILLOU, Louis etc 





1. L'office design^ est avise de son election qui a ete faite: 



X| dans la demande d'examen preliminaire international presentee a I'administration chargee de I'examen preliminaire 
international le: 

19 juillet 2000 (19.07.00) 



1 | dans une declaration visant une election ulterieure deposee aupres du Bureau international le: 



aite 



2. L'election | X| a ete fa h 

| | n'a pas ete faite 



avant ('expiration d'un delai de 19 mois a compter de la date de priorite ou, lorsque la regie 32 s'applique, dans le delai vise 
a la regie 32.2b). 



Bureau international de I'OMPI 


Fonctionnaire autorise 


34, chemin des Cofombettes 


Diana Nissen 


1211 Geneve 20, Suisse 


no de telecopies: (41-22) 740.14.35 


no de telephone: (41-22) 338.83.38 



Formulaire PCT/IB/331 (juillet 1992) 



FR0000189 
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Expediteur: L'ADMINISTRATION CHARGEE DE 

L'EXAMEN PRELIMINAIRE INTERNATIONAL 



s avr mn 



Destinataire: 

VIDON, PATRICE 

Cabinet Patrice VIDON 

Immeuble Germanium 

80 Avenue des Buttes de Coesmes 

35700 Rennes 

FRANCE 
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PCT 



NOTIFICATION DE TRANSMISSION DU 
RAPPORT D'EXAMEN PRELIMINAIRE 
INTERNATIONAL 

(rdgle 71 .1 du PCT) 



Date d'expedition 

(jour/mois/annge) 03.04.2001 



Reference du dossier du deposant ou du mandataire 
5971. WO 


NOTIFICATION IMPORTANTE 


Demande internationale No. 
PCT/FR00/00189 


Date du d6pot international Qour/mois/annGe) 
27/01/2000 


Date de priority (jour/mois/annee) 
27/01/1999 


Deposant 

FRANCE TELECOM et al. 



II est notifie au deposant que ('administration chargee de I'examen preliminaire international a etabli le rapport 
d'examen preliminaire international pour la demande internationale et le lui transmet ci-joint, accompagn6, le 
cas Scheant, de ces annexes. 



Une copie du present rapport et, le cas 6cheant, de ses annexes est transmise au Bureau international pour 
communication a tous les offices elus. 



3. Si tel ou tel office 6lu I'exige, le Bureau international etablira une traduction en langue anglaise du rapport (a 
t'exclusion des annexes de celui-ci) et la transmettra aux offices int6ress6s. 



4. RAPPEL 

Pour aborder la phase nationale aupres de chaque office elu, le d6posant doit accomplir certains actes (d§pot 
de traduction et paiement des taxes nationales) dans le d£lai de 30 mois k compter de la date de priorite (ou 
plus tard pour ce qui concerne certains offices) (article 39.1) (voir aussi le rappel envoys par le Bureau 
international dans le formulaire PCT/IB/301). 



Losrqu'une traduction de la demande internationale doit etre remise a un office 6lu, elle doit comporter la 
traduction de toute annexe du rapport d'examen preliminaire international. II appartient au deposant d'etablir la 
traduction en question et de la remettre directement h chaque office 6lu interess6. 

Pour plus de precisions en ce qui concerne les d£lais applicables et les exigences des offices 6lus, voir le 
Volume II du Guide du deposant du PCT. 



Nom et adresse postale de I'adminstration charged de I'examen 
preliminaire international 



Office europeen des brevets 
D-80298 Munich 

Tel. +49 89 2399 - 0 Tx: 523656 epmu d 

Cov j./IQ QO OOOO , AARP. 



Fonctionnaire autorise* 
Barrio Baranano, A 



TRAIT . DE COOPERATION EN WHATI!ER r ^E BREVETS 



Exp6diteur: L' ADMINISTRATION CHARGEE DE 
l_A RECHERCHE INTERNATIONALE 


POT ' 

NOTIFICATION DE TRANSMISSION DU 
RAPPORT DE RECHERCHE INTERNATIONALE 
OU DE LA DECLARATION 

(rfcgle 44.1 du PCT) 


Destinataire 

Cabinet Patrice VIDOM 

A Tatt. de VIDON, PATRICE 

Immeuble Germanium 

80 Avenue des Buttes de Coesmes 

F-35700 Rennes 

FRANCE 

- . .' J"" U 


Date d'expedrtion 

(jour/mois/annee) j g /04/2000 


Reference du dossier du deposant ou du mandataire 

5971. WO fL6) 


POUR SUITE A DOWWER 

voir les paragraphes 1 et 4 ci-apres 


Demande intemationale n° 

PCT/FR 00/00189 


Date du depot international 
(jour/mois/annde) jq j /2QQ0 


Deposant 

FRANCE TELECOM et al . 



1. (Xl " GSt notifie au deposant que le rapport de recherche intemationale a et6 etabli et lui est transmis ci-joint 

Depot de modifications et d'une declaration seion I'article 19 : 

Le deposant peut, s'il le souhaite, modifier les revendications de la demande intemationale (voir la regie 46): 

Quand? Le delai dans lequel les modifications doivent etre deposees est de deux mois a compter de la date de 
transmission du rapport de recherche intemationale ; pour plus de precisions, voir ce pendant les notes 
figurant sur la feuilte cfaccompagnement 

Ou? Directement aupres du Bureau international de I'OMPI 

34, chemin des Colombettes 
121 1 Geneve 20, Suisse 
n° de telecopies: (41-22)740.14.35 

Pour des Instructions plus detallleas, voir les notes sur la feuiile d'accompagnernent 

2. | | II est notifie au deposant qu'il ne sera pas etabli de rapport de recherche intemationale et la declaration a cet effet, prevue 
■ — 1 a 1'article 17.2)a), est transmise ci-joint. 



□ En ce qui concern© la reserve pouvant etre formulee, conformemerrt a la regie 40.2, a regard du paiement d'une ou 
de plusieurs taxes additionnelles, il est notify au deposant que 

□ la reserve ainsi que la decision y relative ont ete transmises au Bureau international en memo temps que la requete 
du deposant tendant a ce que le texte de la reserve et celui de la decision en question soient notifies aux offices 
designes. 

| | la reserve n'a encore fait i'objet cfaucune decision; des qu'une decision aura et6 prise, le deposant en sera avis6. 
Mesure(s) consecutlve(s) : II est rappele au deposant ce qui suit 

Peu apres ('expiration d'un delai de 18 mols a compter de la date de p no rite, la demands intemationale sera publiee par le 
Bureau international. Si le deposant souhaite eviterou cfifferer la publication, il doit faire parvenir au Bureau international 
une declaration de retrait de la demande intemationale, ou de la revendi cation de priority, conformement aux regies 
90£>/s.1 et 90t>/s.3, respectivement, avant I'achevement de la preparation technique de la publication intemationale. 

Dans un delai de 19 mols a compter de la date de priorite, le deposant doit presenter la demande d'examen preliminaire 
international s'il souhaite que I'ouverture de la phase nationals soit reportee a 30 mois a compter da la date de priorite 
(ou meme au-dela dans certains offices). 

Dans un delai de 20 mols a compter de la date de priorite, le deposant doit accomptir les demarches prescrites pour I'ouverture 
de la phase nationaie aupres de tous les offices designes qui n'ont pas ete elus dans la demande d'examen preliminaire 
international ou dans une election uiterieure avant ('expiration d'un delai de 19 mois a compter de la date de priorite ou 
qui ne pouvaient pas etre elus parce qulls ne sont pas lies par le chapitre II. 



Norn et adresse postale de ('administration chargee de la 
recherche intemationale 



Office Europeen des Brevets, P.B. 5818 Patentiaan 2 
NL-2280 HV Rijswijk 

Tel. (+31-70) 340-2040, Tx. 31 651 epo nl, 
. Fax: (+31-70) 340-3016 



Fonctionnaire auto rise 

Hans Pettersson 



£S RELATIVES AU FORWJULADRE PCT/^A/220 



Les presentes notes sont destinees a donner les instructions ess en tie lies concernant le depot de modifications selon 
rarticle 19. Les notes sont fondees 3ur les exigences du Traite de cooperation en maiiere de brevets (PCT), du reglement 
d'execution et des instructions administratives du PCT. En cas de divergence entre les presentes notes et ces exigences, ce sont 
ces demieres qui priment. Pour de plus amples renseignements, on peut aussi con3ulter le Guide du deposant du PCT, qui est une 
publication de TOM PL 



Dans les presentes notes, les termes "article", "regie" et Instruction" renvoient aux dispositions du traite, de son reglement 
d'execution et des instructions administratives du PCT, respect iv erne nt. 



INSTRUCTIONS CONCERNANT LES MODIFICATIONS SELON L' ARTICLE 19 

Apres reception du rapport de recherche intemationale, le deposant a la possibility de modifier une fois les revendications 
de la demande intemationale. On notera cependant que, comma toutes les parties de la demande intemationale (revendications, 
description et dessins) peuvent etre modifiees au cours de la procedure tfexamen preliminaire international, il nest generaiement 
pas necessaire de de poser de modifications des revendications selon rarticle 1 9 sauf, par exemple, au cas ou le deposant souh arte 
que ces demieres soient publiees aux fins d'une protection provisoire ou a une autre raison de modifier les revendicattons avant 
la publication intemationale. En outre, il convient de rappeler que lobtention d'une protection provisoire n'est possible que dans 
certains Etats. 



Queues parties de la demand© Internationale peuvent etre modffl&es? 
Selon rarticle 19, les revendications exclusivement. 

Durant la phase intemationale, les revendications peuvent aussi etre modifiees (ou modifiees a nouveau) selon 

Particle 34 aupres de ('administration chargee de I 'ex amen preliminaire international. La description et les dessins 

ne peuvent etre modifiees que selon I'article 34 aupres de Padministration chargee de I'examen preliminaire international. 

Lore de I'ouverture de la phase nationale, toutes les parties de la demande intemationale peuvent etre modifiees selon 
rarticle 28 ou, le cas echeant, seion I'article 41 . 



Quand? Dans un delai de deux mois a compter de la date de transmission du rapport de recherche intemationale ou de 16 mois 

a compter de la date de priorite, selon I'echeance ta plus tardive. II convient cependant de noter que les modifications 
seront reputees avoir ete recues en temps voulu si elles parvtennent au Bureau intemationaJ apres I'expiration du delai 
applicable mais avant I'achevement de la preparation technique de fa publication intemationale (regie 46.1). 



Oil ne pas depooer les modifications? 

Les modifications ne peuvent etre deposees qu'aupres du Bureau international; elles ne peuvent etre deposees ni 
aupres de ('office recepteur ni aupres de I'administ ration chargee de la recherche intemationale (regie 46.2). 

Lorsqu'une demande tfexamen preliminaire international a ete/est deposee, voir plus loin. 



Comment? Soit en supprimant entierement une ou plusieurs revendications, soil en ajoutant une ou plusieurs revendications 
nouvelles ou encore en modifiant le texte d'une ou de plusieurs des revendications telles que deposees. 

Une feuille de remplacement doit etre remise pour chaque feuille des revendications qui, en raison d'une ou da 
plusieure modifications, differe de la feuille initiaJement deposee. 

Toutes les revendications figurant sur une feuille de remplacement doivent etre numerotees en chiffres arabes. Si 
une revendication est supprimee, il n'est pas obligatoire de renumeroter les autres revendications. Chaque fois que 
des revendicattons sont renumerotees, elles doivent I'etre de facon continue (instruction 205. b)). 

Les modifications doivent etre effectuees dans la langue dans Isquelle la demande Internatlonsile eaft publlee. 



QueJs documents dolvont/peuvent sccompagner les modifications? 
Lettre (Instruction 205.b)): 

Les modifications doivent etre accompagnees d'une lettre. 

La lettre ne sera pas publiee avec ta demande rnlemationale et les revendications modifiees. Elle ne doit pas etre 
confondue avec la "declaration selon I'article 1 9.1)* (voir plus loin sous "Declaration selon I'article 19.1 )*). 

La lettre doit etre redlgee en anglais ou en franca Is, au cholx du deposant. Cependant, si la langue de la demande 
Internationale est ranglais, la lettre doit etre redlgee en anglais; si la langue de la demande Internationale est le 
francafs, la lettre dolt etre redlgee en francals. 



rw fES RELATIVES AU FORMULAIRE PCl/ioA/220 (suite) 



La lettre doit indiquGr Ie3 differences exist ant entre les revendications telles que deposees et Ie3 revendications telles 
que modifiees. Elle doit indiquer en particulier, pour chaque revendication figurant dans la demande intern aiionaJe 
(etant entendu que des indications identiques concemant piusieurs revendications peuvent etre groupees), si 

i) ta revendication n'est pas modifiee; 

ii) la revendication est supprimee, 

iii) la revendication est nouvelle, 

iv) la revendication remplace une ou piusieurs revendications telles que deposees; 

v) la revendication e3t le resultat de la division d'une revendication telle que deposee. 



Les examples sulvants lllustrent la maniere dont les modifications do! vent etre expliquees dans la lettre 
d'accompagnement: 

1 [Lorsque (e nombre des revendications deposees initiaJement s elevait a 48 et qua la suite dune modification de 
certaines revendications il s'eleve a 51 J: 

"Revendications 1 a 15 remplacees par les revendications modifiees port ant les memes num^ros; revendications 
30, 33 et 36 pas modifiees; nouvelles revendications 49 a 51 ajoutees." 

2. [Lorsque le nombre des revendications deposees initialement & 'elevait a 1 5 et qu'a la suite cf une modification de 
toutes les revendications il s'eleve a 11 J: 

Revendications 1 a 15 remplacees par les revendications modifiees 1 a 1 1 " 

3. [Lorsque le nombre des revendications deposees initialement 3 'elevait a 1 4 et que les modifications consistent a 
supprimer certaines revendications et a en ajouter de nouvelles]: 

"Revendications 1 a 6 et 14 pas modifiees; revendications 7 a 13 supprimees; nouvelles revendications 15,16 et 
17 ajoutees." ou 

"Revendications 7 a 13 supprimees; nouvelles revendications 15, 16 et 17 ajoutees; toutes les autres revendications 
pas modifiees " 



4. [Lorsque piusieurs sortes de modifications sont faites]: 

"Revendications 1-10 pas modifiees; revendications 11 a 1 3, 18 et 19 supprimees; revendiations 14, 15 et 16 
remplacees par la revendication modifiee 1 4; revendication 17 divisee en revendications modifiees 15, 16 et 1 7; 
nouvelles revendications 20 et 21 ajoutees." 



"Declaration selon Particle 19.1)" (Regie 46.4) 

Les modifications peuvent etre accompagnees d'une declaration expltquant les modifications et precisant incidence 
que ces demieres peuvent avoir sur la description et sur les dessins (qui ne peuvent pas etre modifies selon 
rarticle 19.1)). 

La declaration sera pub) lee avec la demande intemationale et les revendications modifiees. 
Elle doit ©tre redlg&a dans la langue dans laquelle la demandelntematlonaie est publiee. 
Elle doit etre succincte (ne pas depasser 500 mots si elle est etabfie ou traduite en anglais). 

Elle ne doit pas etre con ton due avec la lettre expliquant les differences exist ant entre les revendications telles que 
deposees et les revendications telles que modifiees, et ne la remplace pas. Elle doit figurer sur une feuille distincte et 
doit etre munie d*un titre permettant de (Identifier com me telle, constitue de preference des mots "Declaration selon 
(article 19.1)" 

Elle ne doit contenir aucun commentaire denigrant relatif au rapport de recherche intemationale ou a la pertinence des 
citations que ce dernier contient Elle ne peut se referer a des citations se rapportant a une revendication donnee et 
corrtenue3 dans le rapport de recherche intemationale qu'en relation avec une modification de cette revendication. 



Consequence du fait qu*une demand® tfenamen preliminaire Intern a tlcnal ait de|a ete presents 

Si, au moment du depot de modifications effectuees en vertu de I'articie 19, une demande d'examen preliminaire 
international a deja ete presentee, le deposant doit de preference, lors du depot des modifications aupres du Bureau 
international, deposer egalement une copie de ces modifications aupres de ('administration chargee de Texamen 
preliminaire international (voir la regie 62.2a), premiere phrase). 



Consequence au regard de la traduction de la demande Intematlonalelors de l*ou vertu re de la phase natlonale 

L'attention du deposant est appelee sur le fait qu'il peut avoir a remettre aux offices designes ou elu3, lors de Touverture 
de la phase nationals, une traduction des revendications telles que modifiees en vertu de rarticle 1 9 au lieu de la 
traduction des revendications telles que deposees ou en plus de celle-ci. 

Pour plus de precisions sur les exigences de chaque office designe ou elu, voir le volume II du Guide du deposant 
du PCT. 



TRAITE D' N ©OPERATION EN W3AT0ERE DE EVETS 

PCI 



RAPPORT DE RECHERCHE INTERNATIONALE 
(article 1 8 et regies 43 et 44 du PCT) 



(Reference du dossier du deposant ou 
du mandataire 

5971. WO 


POUR SUITE voir la notification de transmission du rapport de recherche intemationale 
(formulaire PCT/ISA/220) et, le cas echeant, le point 5 ci-apres 

A DOWNER 


Demande intemationale n° 

PCT/FR 00/00189 


Date du depot \ntemational(jour/mois/ann6e) 

27/01/2000 


(Date de priorite (la plus ancienne) 
Qgur/mois/annte) 

27/01/1999 


Deposant 

FRANCE TELECOM et al . 



Le present rapport de recherche intemationale, etabli par radministration chargee de la recherche intemationale, est transmis au 
deposant confonmement a I' article 18. Une copie en est trans mise au Bureau international. 

Ce rapport de recherche intemationaJe comprend 3 feuilles. 

[X| II est aussi accompagne cf une copie de chaque document relatrf a I'etat de la technique qui y est cite. 



1. Base du rapport 

a. En ce qui conceme la langue, la recherche intemationale a ete effectuee sur la base de la demande intemationale dans la 
langue dans laquelle elle a ete deposee, sauf indication contraire donnee sous le meme point. 

| | ta recherche intemationale a ete effectuee sur la base cfune traduction de la demande intemationale remise a radministration. 

b. En ce qui conceme les sequences de nucleotides ou d'acldes amines drvulguees dans la demande intemationale (le cas echeant). 
la recherche intemationale a 6te effectuee sur la base du listage des sequences : 

| | contenu dans la demande intemationale, sous forme ecrite. 

deposee avec la demande intemationale, sous forme dechiffrable par ordinateur. 
remis utterieurement a radministration, sous forme ecrite. 



2. 
3. 



□ 
□ 
□ 
□ 

□ 

□ 
□ 



remis ulterieurement a radministration, sous forme dechiffrable par ordinateur. 

La declaration, seton laquelle le listage des sequences presents par ecrit et foumi ulterieurement ne vas pas au-dela de la 
divulgation faite dans la demande telle que deposee, a ete foumie. 

La declaration, selon laquelle les informations enregistrees sous forme dechiffrable par ordinateur sont identiques a celles 
du listage des sequences presents par ecrit, a ete foumie. 

It a ete estime que certalnes revendlcatlons ne pouvalent pas falre robjet d'une recherche (voir le cadre I). 
II y a absence d'unlte de I'lnventlon (voir le cadre II). 



4. En ce qui conceme le ttfre, 

|X) le texte est approuv6 tel qull a ete remis par le deposant 

I I Le texte a ete etabli par radministration et a la teneur suivante: 



5. En ce qui conceme I'abrege, 

[ [ le texte est approuve tel qu'il a ete remis par le deposant 

Eld texte (reproduit dans le cadre III) a ete etabli par radministration conformement a la regie 38.2b). Le deposant peut 
presenter des observations a radministration dans un delai d'un mois a compter de la date d'expedition du present rapport 
de recherche intemationale. 

6. La figure des desslns a publier avec I'abrege est la Figure n° 



I I suggeree par le deposant. Q Aucune des figures 

I I parce que le deposant n'a pas suggere de figure. n est a publier. 

I I parce que cette figure caracterise mieux 1'invention. 



Formulaire F>CT/I$A/210 (premiere feuiile) (juillet 1998) 



PCI / PR OU/ 00189 



Cadre III TEXTE DE L'ABREGE (suite du point 5 de 13 premiere feuille) 



Abrege 



La preuve est etablie au moyen des parametres suivants: 

- un module public n constitue par le produit de f facteurs premiers p., f>2, 

- un exposant public v, 

- m nombres de base g„ m>1. 

Les nombres de base g, sont tels que les deux equations: 
x 2 = g t mod n et ~ x 2 = -g, mod n 
n'ont pas de solution en x dans Tanneau des entiers modulo n, et tel que I'equation 

x" = g 2 mod n 

a des solutions en x dans Tanneau des entiers modulo n dans le cas. ou I'exposant public v 
est de la forme 



v = 2 V 



ou k est un parametre de securite. 



Fcrmulaire PCT/1SA/210 (suite de ia oremiere 'euiile ;'2}) :Juiilet 1998) 



r'CT/FR 00/00189 



A. CLASSEMEMT DE L OBJET DE LA DEMANDE 

CIB 7 H04L9/32 






Selon la classification intemationaie dss brevets (CIB) ou a la fots selon ta classification nationale et la CIB 




a DOMAIWES SUR LESOUELS LA RECHERCHE A PORTE 


Documentation minim ate consulted (systeme de classification suivi dee sym boles de classement) 

CIB 7 H04L 


Documentation consulted autre que la documentation mini male dans la mesure ou c 


«s documents relevant des domaines sur lesquels a porta la recherche 


Base de donnees electronique consuttee au cours de la recherche intemationaie (nom de la base de donnees, et si realisable, termes de recherche utilises) 


C. DOCUMENTS COWSIDERES COfiflME PERTINEMTS 


Categorie* 


Identification des documents cites, avec, le cas echeant, Hrxfi cation des passages pertinents 


no. des re vesications visees 


X 


EP 0 311 470 A (TELEDIFFUSION FSE ; FRANCE 
ETAT (FR); PHILIPS NV (NO) 
12 avril 1989 (1989-04-12) 
cite dans la demande 

colonne 2, ligne 40 -colonne 3, ligne 50 


1,6,7 


X 


EP 0 381 523 A (TOKYO SHIBAURA ELECTRIC 

CO) 8 aoQt 1990 (1990-08-08) 

page 2, colonne 25, ligne 3 -page 7 


1,5 


j | Voir la 3uite du cadre C pour la fin de la fete des documents j Lea documents de families da brevets sont indques en annexe 


* Categories speciales de documents cites: T . document utteneur putXie apres la date de depot international ou la 

A , , . , , . date de priorite et n'appartenenant pas a Tetat de la 
"A" document defin«sant 1 etat general de la technique, non technique pertinent, mais cite pour comprendre to principe 

considere comme particulierement pertinent ou la theorie constituant la base de (Invention 
E' ctocumerrt arterieur, mais pubfie a la date de depot international - x . particulierement pertinent; I'inven tion revendiquee ne peut 

ou apres oette date &re conskJeree comme nouvelle ou comme impliquant une actrvite 
•|_° document pouvant jster un doute sur une revendcation de inventive par rapport au document considere isolement 

priorite ou cite pour determiner la date de publication i rfune -y- document particulierement pertinent; I'inven tion revendiquee 

autre citation ou pour une raison speciale (telle qu mdiquee) ne peut etre consideree comme impliquant une activfte inventive 
•0" document so referant a une divulgation orate, a un usage, a lorsque Is document est assocte a un ou plusieurs autres 

une exposition ou tous autres moyens documents de meme nature, cette combinateon etant evidente 

•P- document pubiie avant la date de depot international, mais P our une P** 0 ™* ^ m6tter 

posterieurement a la date de priorite revencfiquee document qui fait partie de la meme famille de brevets 


Date a laquelle la recherche intemationaie a ete effectivement achevee 


Date d'expedition du present rapport de recherche intemationaie 


28 mars 2000 


19/04/2000 




Nom etadr 


sees postal e de ('administration chargee de la recherche intemationaie 
Office European des Brevets, P.B. 5618 Patentlaan 2 
NL-2280HV Rijswijk 
Tel. (+31-70) 340-2040. Tx. 31 651 epo nl. 
Fax: (+31-70) 340-3016 


Fbnctionnaire autorise 

Masche, C 



Rensetgnements relatiffs . ombres d© families do brevets 

, rtT/FR 00/00189 



Document brevet cite 


Date de 


Membre(s) de la 




Date de 


au rapport de recherche 


publication 


famille de brevets) 






EP 0311470 A 


12-04-1989 


FR 


2620248 


A 


10-03-1989 






AT 


83573 


T 


15-01-1993 






All 

AU 
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RAPPORT D'EXAMEN 
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Demande internationale n° PCT/FR00/001 89 



I. Base du rapport 

1 . En ce qui concerne les elements de la demande internationale (les feuilles de emplacement qui ont ete remises 
a /'office recepteur en reponse a une invitation faite conformement a /'article 14 sont consid&ees dans le present 
rapport comme "initiaiement deposees" et ne sont pas jointes en annexe au rapport puisqu'elles ne contiennent 
pas de modifications (regies 70. 16 et 70. 17)): 

Description, pages: 

1-36 version initiale 

Revendications, N°: 

13 version initiale 

1-12 regue(s) le 10/01/2001 avec la lettre du 09/01/2001 

Dessins, feuilles: 

1/4-4/4 version initiale 



2. En ce qui concerne la langue, tous les elements indiques ci-dessus etaient a la disposition de ('administration ou 
lui ont ete remis dans la langue dans laquelle la demande internationale a et§ depos^e, sauf indication contraire 
donnee sous ce point. 

Ces 6l6ments §taient k la disposition de ['administration ou lui ont et6 remis dans la langue suivante: , qui est : 

□ la langue d'une traduction remise aux fins de la recherche internationale (selon la regie 23.1(b)). 

□ la langue de publication de la demande internationale (selon la regie 48.3(b)). 

□ la langue de la traduction remise aux fins de i'examen pr£liminaire internationale (selon la rkg\e 55.2 ou 
55.3). 

3. En ce qui concerne les sequences de nucleotides ou d'acide amines divuiguees dans la demande 
internationale (le cas 6ch6ant) f I'examen pr^liminaire internationale a ete effectu§ sur la base du listage des 
sequences : 

□ contenu dans la demande Internationale, sous forme 6crite. 

□ depose avec la demande internationale, sous forme d6chiffrable par ordinateur. 

□ remis ulterieurement k ('administration, sous forme ecrite. 

□ remis ulterieurement a ('administration, sous forme dechiffrable par ordinateur. 

□ La declaration, selon laquelle le listage des sequences par ecrit et fourni ulterieurement ne va pas au-del& 
de la divulgation faite dans la demande telle que d§pos6e, a ete fournie. 

□ La declaration, selon laquelle les informations enregistr6es sous dechiffrable par ordinateur sont identiques k 
celles du listages des sequences Presents par ecrit, a 6te fournie. 
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4. Les modifications ont entraine Tannulation : 

□ de la description, pages : 

IS des revendications, n os : 13 

□ des dessins, feuilles : 

5. □ Le present rapport a ete formule abstraction faite (de certaines) des modifications, qui ont ete consider£es 

comme allant au-dela de I'expose de I'invention tel qu'il a et6 depose, comme il est indiqu§ ci-apr£s (regie 
70.2(c)) : 

(Toute feuille de remplacement comportant des modifications de cette nature doit etre indiqu&e au point 1 et 
annexee au present rapport) 



6. Observations complSmentaires, le cas 6cheant : 



V. Declaration motivee selon I'article 35(2) quant a la nouveaute, Tactivite inventive et la possibility 
d'application industrielle; citations et explications a I'appui de cette declaration 

1. Declaration 

Nouveaute Oui : Revendications 1-12 

Non : Revendications 

Activite inventive Oui: Revendications 1-12 

Non : Revendications 

Possibility d'application industrielle Oui: Revendications 1-12 

Non : Revendications 



2. Citations et explications 
voir feuille separee 



VII. Irregularites dans la demande internationale 

Les irregularites suivantes, concernant la forme ou le contenu de la demande internationale, ont et6 constatees : 
voir feuille separee 
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Concernant le point V 

Declaration motivee selon Particle 35(2) quant a la nouveaute, Pactivite inventive et la 
possibility d'application industrielle; citations et explications a Pappui de cette 
declaration 

L'invention concerne un procede (revendication 1) permettant de produire les 
facteurs premiers dont le produit constitue un module public necessaire a la mise 
en oeuvre d'un protocole destine a prouver a une entite controleur Pauthenticite 
d'une entite et/ou Pintegrite d'un message associe a cette entite. Elle concerne 
aussi ('utilisation (revendication 10) du procede de production des facteurs 
premiers dans un tel protocole. 

Etat de la technique: 

D1 = EP-A-0 31 1 470 decrit un tel protocole selon lequel une entite appelee 
"autorite de confiance" attribue une identite a chaque entite appelee "temoin" et 
en calcule la signature RSA ; durant un processus de personnalisation, Pautorite 
de confiance donne identite et signature au temoin. Par la suite, le temoin 
proclame : "Voici mon identite ; j'en connais la signature RSA.". Le temoin prouve 
sans la reveler qu'il connait la signature RSA de son identite. Grace a la cle 
publique de verification RSA distribute par Pautorite de confiance, une entite 
appelee "controleur" verifie sans en prendre connaissance que la signature RSA 
correspond a Pidentite proclamee. Les mecanismes utilisant ce protocole se 
deroulent "sans transfert de connaissance": le temoin ne connait pas la cle privee 
RSA avec laquelle Pautorite de confiance signe un grand nombre d'identites. 

Probleme: 

^utilisation de la technologie RSA rend le protocole d'authentification sensible aux 
attaques dites ll multiplicatives"; d'autre part la charge de travail liee aux 
operations arithmetiques dans le protocole selon D1 entraine des temps de 
calculs importants. 

Invention: 
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Le procede selon la revendication 1 permet la production de facteurs premiers 
particuliers, respectant les conditions mentionnees dans la revendication, dont le 
produit constitue un module public n. Ce module public n est utilise dans un 
protocole d'authentification defini dans la revendication 10. 

Aucun des documents cites dans le rapport de recherche international ne divulgue 
ou suggere les caracteristiques de determination des facteurs premiers telles que 
definies dans la revendication 1 . De plus ces facteurs premiers permettent le 
calcule d'un module public n utilisable dans un protocole d'authentification evitant 
les inconvenients du protocole selon D1. L'objet de la revendication 1 implique par 
consequent une activite inventive (article 33(3) PCT). 

La revendication 10 concerne un protocole d'authentification utilisant un module 
public n constitue par le produit de facteurs premiers determines par le procede 
selon la revendication 1. Elle remplit done de ce fait les conditions de I'article 33 
PCT. 

Les revendications 2 a 9 et 1 1 a 12 dependent respectivement des revendications 
1 et 10 et satisfont done egalement, en tant que telles, aux conditions requises 
par le PCT en ce qui concerne la nouveaute et I'activite inventive. 



Concernant le point VII 

Irregularites dans Da demande Internationale 



Les demandes pendantes evoquees a la page 36 de la description ne sont pas 
identifies par Ieur6 numeros de demande ou de publication (Directives PCT, 
114.17). 
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Revendkations 

1. Procede permettant de produire les f facteurs premiers p 13 p 2 , p f 
d'un protocole destine a prouver a une entite controleur, 

- Pauthenticite d'une entite et/ou 

- l'integrite d'un message M associe a cette entite, 

au moyen d'un module public n constitu6 par le produit desdits f facteurs 
premiers p 19 p 25 ... p f f 6tant superieur ou egal a 2, ou au moyen des f 
facteurs premiers ; 

ledit proced6 comprenant l'etape de produire lesdits f facteurs premiere p 1? 
P2? ••• Pf 9 en respectant les conditions suivantes : 

0 aucune des deux equations (1) et (2) : 

x 2 = g i modn et x 2 = - g mod n 
n'a de solution en x dans Panneau des entiers modulo n, 

°Pequation (3): 

x v = gi 2 mod n 

a des solutions en x dans Panneau des entiers modulo n ; 

gi? g2? g m designant m nombres de base entiers, distincts, m etant 

superieur ou 6gal h 1 ; 

v d6signant un exposant public de la forme : 

v = 2 k 

ou k est un parametre de s^curite plus grand que 1 ; 
ledit proced6 comprenant Petape de choisir en premier : 

0 le parametre de securite k 

0 les in nombres de base g v g v . . . g m , 

0 la taille du module n 9 

0 la taille des f facteurs premiers p 1( , p 2 , . . . p f . 

2. Procede selon la revendication 1 tel que les m nombres de base g 1? , 
g^, ... g rt> sont choisis au moins en partie parmi les premiers nombres 
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entiers. 

3. Procede selon l'une quelconque des revendications 1 ou 2, tel que 
le parametre de securite k est un petit nombre entier, notamment inferieur a 
100. 

5 4. Procede selon Tune quelconque des revendications 1 a 3, tel que la 

taille du module n est superieure a plusieurs centaines de bits. 

5. Procede selon Tune quelconque des revendications 1 a 4, tel que 
les f facteurs premiers p v p^, ... p f ont une taille voisine de la taille du 
module n divise par le nombre f de facteurs. 
10 6. Proc6d6 selon l'une quelconque des revendications 1 a 5, tel que 

. parmi les f facteurs premiers p v p 2( , . . . p f 

- on choisit'un nombre e de facteurs premiers congrus a 1 modulo 4, e 
pouvant 6tre nul (dans le cas ou e est nul le module n sera ci-apres qualifie 
de module basique, dans le cas ou e > 0 le module n sera ci-apres qualifI6 de 

15 module mixte), 

- les f-e autres facteurs premiers sont choisis congrus a 3 modulo 4, f- 
e etant au moins 6gal a 2. 

7. Procede selon la revendication 6 tel que pour produire les f-e 
facteurs premiers p v p 2> , . . . p f . e congrus a 3 modulo 4, 
20 on met en oeuvre les Stapes suivantes : 

- on choisit le premier facteur premier p x congru a 3. modulo 4, 

- on choisit le deuxieme facteur premier p 2 tel que p 2 s'oit 
complementaire de ^ par rapport au nombre de base g„ 

- on choisit le facteur p i+1 en proc6dant comme suit en distinguant 
25 deux cas : . 

(1) Casoui>m 

° on choisit le facteur p i+1 congru a 3 modulo 4, 

(2) Cas ou i< m 

0 on calcule le profil (Profil^gi)) de gj par rapport aux i 
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premiers facteurs premiers pj, 

• si le Profilifei) est plat, on choisit le facteur p i+1 tel que p {+1 soit 
complementaire de p 2 par rapport a g i? 

° sinon, on choisit panni les i-1 nombres de bases g„ g 2> ... g w et 
toutes leurs combinaisons multiplicatives le nombre, ci-apres denomme g, 
tel que Profil^) = Profil^), on choisit ensuite p 1+1 tel que Profil J+1 (g,) * 
Proffl i+1 (g), 

(les expressions "complementaire", "profil", "profil plat" ayant le sens 
defini dans la description). 

8. Procede selon la revendication 8 tel que pour choisir le dernier 
facteur premier p f . e on procede comme suit, en distinguant trois cas : 

(1) Cas ou f-e-1 >m 

• on choisit p f . e congru a 3 modulo 4, 

(2) Cas ou f-e-1 = m 

°on calcule ProfiI fre . 1 Cg JD ) par rapport aux f-e-1 premiers 
facteurs premiers, de pj a p^ 

• 0 si Profil^fe,,,) est plat, on choisit p f . e .j tel qu'il soit 
complementaire dep t par rapport a g m , 
° ° sinon, 

• ° o on choisit parmi les m-l nombres de bases 
^ g t a g^ et toutes leurs combinaisons multiplicatives le nombre, ci-apres 
denomme g, tel que Profilf(g) = Profil,(gj), puis 

° 0 0 on choisit ensuite p f . e tel que Profiling) * 

^rofil f . e (g ra ), 

(3) Cas ouf-e^l <m 

° on choisit p f . e tel que les deux conditions suivantes soient 

satisfaites : 

(3.1) Premiere condition, 

• on calcule Proffl^g^) par rapport aux f-e-1 premiers 
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facteurs premiers, de pj a p^ 

o • si Profil^^.,) est plat, on choisit p f . e tel qu'il 
satisfasse a la premiere condition d'etre complementaire de p 1 par rapport a 

gf-e-I, 

5 . ' o sinon, 

<• o o on choisit parmi les f-e-1 nombres de bases 
gi a et toutes leurs combinaisons multiplicatives le nombre, ci-apres 
denomme" g, tel que ProfflIj(g) = ProfiL^fe^), puis 

o o o on choisit erisuite p^tel qu'il satisfasse a la 
10 premiere condition d'etre tel que ProfiI f . e (g) * ProfiL^gJ, 

(3.2) Deuxieme condition, 

• on seiectionne parmi l'ensemble des demiers nombres de bases 
de gf-e ^ g m ceux dont le profil Profil f . e . 1 (g i ) est plat, puis 

• on choisit p f . e tel qu'il satisfasse a la deuxieme condition d'etre 
15 complementaire de p 1 par rapport a chacun des nombres de bases ainsi 

selectionnes. 

9 Precede selon les revendications 7 ou 8 tel que pour produire les e 
facteurs premiers congrus a 1 modulo 4, on evalue chaque candidat facteur 
premier p , de p^ a p f , en lui faisant subir les deux tests successifs suivants 

20 

(1) Premier test 

- on calcule le symbole de Legendre de chaque nombre de base g, ( de 
Si * g m » par rapport au facteur premier p candidat, 

° si le symbole de Legendre est egal a -1, on rejette le candidat p, 
K 0 -si le. symbole de Legendre est egal a +1, on poursuit 

revaluation du candidat p en passant au nombre de base suivant, puis 
lorsque le dernier nombre de base a ete pris en compte on passe au 
deuxieme test, 

(2) Deuxieme test, 
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- on calcule un nombre entier t tel que p-1 est divisible par 1} mais pas 
par 2 t+l , puis 

- on calcule un entier s tel que s = (p-l+2 t )/2 t+1 , 

- on applique la cle (s, p) a chaque valeur publique G t pour obtenir un 
5 resultat r 

r= Gi S modp 

° si r est egal ag ou - g { , on poursuit le deuxieme test en 
passant a la valeur publique G i+1 suivante, 

° si r est different de g x ou - g t ? on calcule un facteur u en 
10 appliquant Palgorithme suivant : 

° » ralgoritfime consiste a repeter la sequence suivante pour un 
indice ii allant de 1 a t-2 : 

° ° Palgorithme met en oeuvre deux variables ; w initialisee par r 
et jj = 2 U prenant des valeurs allant de 2 a 2 1 ' 1 , ainsi qu'un nombre b 
15 obtenu par 1'application de la cle ( (ip-t)l2\ p) a un residu non quadratique 

de CG(p), puis, on itere les etapes 1 et 2 suivantes, 

° ° ° etape 1 : on calcule wVGj (modp), 

o o o &ape 2 ; on el£ve le resultat a la puissance 2 t ' iM 

0 0 ° ° si on obtient +1 , on poursuit le deuxieme test 
20 en passant a la valeur publique G i+1 suivante, 

° ° ° ° si on obtient -1, on calcule jj = 2 U , puis on 
remplace w par w.b" (mod p), puis on poursuit Palgorithme pour la valeur 
suivante de Pindice ii, 

° ° a Tissue de Palgorithme, la valeur figurant dans la variable jj 
25 permet de calculer un nombre entier u par la relation jj= 2 t ' u , puis on 

calcule P expression t-u, deux cas se pr&entent : 

0 0 ° si t-u < k , on rejette le candidat p 
° ° ° si t-u > k, on continue revaluation du candidat p en 
poursuivant le deuxieme test en passant k la valeur publique G M suivante, 

i 
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le candidat p est accepte comme facteur premier congru a 1 modulo 4 si a 
Tissue du deuxieme test, pour toutes les m valeurs publiques G x , il n'a pas 
ete rejet6. 

10. Protocole faisant application du procede selon Tune quelconque 
des revendications 1 a 9 ; ledit protocole etant destine a prouver a une 
entite controleur, 

- Tauthenticite d'une entite et/ou 

- Tintegrite d'un message M associe a cette entite, 

au moyen de m couples de valeurs privies Q v ... Q m et publiques G v 

G 2? ... G mJ ou des parametres derives de ceux-ci ; 

ledit module et lesdites valeurs etant lies par des relations du type : 

Gf Qi V = 1 • rood n ou Gj s Q^mod n ; 
ladite valeur publique G t etant le carre g 2 du nombre de base g { inferieur 
aux f facteurs premiers p 1 , p 2? - . . p f ; 

ledit protocole mettant en oeuvre selon les etapes suivantes une entite 
appelee temoin disposant des f facteurs premiers pj et/ou des parametres des 
restes chinois des facteurs premiers et/ou du module public n et/ou des m 
valeurs privees Q { et/ou des Cm composantes Q t } (Q u i s Q { mod Pj) des 
valeurs privees Q { et de Pexposant public v ; 

- le temoin calcule des engagements R dans Panneau des entiers 
modulo n ; chaque engagement etant calcule : 

° soit en effectuant des op6rations du type 

Rsr v modn 
ou r est un alea tel que 0 < r < n, 
0 soit ' . 

00 en effectuant des operations du type 
RiSr^modp, 

ou r { est un alea associe au nombre premier p t tel que 0 < r, < p, , chaque r, 
appartenant a une collection d'aleas {r 2 9 r 2 , ... r f } , 
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oo puis en appliquant la methode des restes chinois ; 

- le temoin recoit un on plusieurs defis d ; chaque defi d comportant m 
entiers dj ci-apres appeles d6fis elementaires ; le temoin calcule a partir de 
chaque defi d une reponse D, 

° soit en effectuant des operations du type : 

D s r . Q, dl . Q 2 d2 . . . . Q m dm mod n 

° soit 

00 en effectuant des operations du type : 

B, b r, . % dl . Q U2 « ... ta mod Pi 

00 puis en appliquant la methode des restes chinois ; 
ledit procede etant tel qu'il y a autant de reponses D que de defis d que 
d'engagements R, chaque groupe de nombres R, d, B constituant un 
triplet note {R, d, D}. 

11. Procede selon la revendication 10 tel que pour mettre en oeuvre 
les couples de valeurs privees Q„ Q 2 , ... Q m et publiques G x , G 2 , ... G m , on 
utilise les facteurs premiers p v p 2 , ... p f et/ou les parametres des restes 
chinois, les nombres de bases g„ g 2 , ... g m et/ou les valeurs publiques G l9 
G 2 , ... G m pour calculer : 

- soit les valeurs privees Q v Q 2 , ... Q m en extrayant une k ieme racine 
carree modulo n de Gj , ou en prenant l'inverse d'une k ieme racine carree 
modulo n de Gj , 

-soit les f.m composantes privies Q u des valeurs privees Q l9 Q 2 , ... 
Qm , telles que Q y s Q, (mod p) , 

12 Procede selon la revendication 11 tel que pour calculer les im 
composantes^privees Q iiS des valeurs privees Q v Q 2 , ... Q m : 

- on applique la cl6 (s, pj ) pour calculer 2 tel que 

ZBG, s (modpj) 

- on utilise les valeurs t et u 

0 calculees comme indique ci-dessus dans le cas ou Pj est congru 
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a 1 modulo 4 et 

° prises respectivement egales a 1 (t=l) et 0 (u=0) dans le cas ou 
Pj est congru k 3 modulo 4, 

° ° si u est nul on considere F ensemble des nombres zz tels que : 
5 ooo zz soit 6gale a z ou tel que 

° * ° zz soit egale au produit (mod pj) de z par chacune des 
2 M racines 2" iemes primitives de Tunit^ ii allant de 1 a min(k,t) , 

0 ° si u est positif on considere P ensemble des nombres zz tels 
que zz soit 6gale au produit (mod pj) de za par chacune des 2 k racines 2 k 
10 iemes de Funite, za designant la valeur de la variable w a Tissue de 

Talgorithme mis en oeuvre dans la revendication 10, 

- on en deduit au moins une valeur de la composante Q ia s elle est 
6gale a zz lorsque V equation G s = Qj v mod n est utilis6e ou bien elle est 
egale a Pinverse de zz modulo pj de zz lorsque F equation G { • = 1 . mod 
15 n est utilis^e. 
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70.16 and Section 607 of the Administrative Instructions under the PCT). 



These annexes consist of a total of _ 



8 



sheets. 



3. This report contains indications relating to the following items: 
I Basis of the report 



II 


□ 


III 


□ 


IV 


□ 


V 




VI 


□ 


VII 




VIII 


□ 



2100 

applicability 



Ied\no\ogv Center ! 

e step and industrial applical 



Lack of unity of invention 



Reasoned statement under Article 35(2) with regard to novelty, inventive step or industrial applicability; 
citations and explanations supporting such statement 



Certain defects in the international application 
Certain observations on the international application 



Date of submission of the demand 

19 July 2000(19.07.00) 


Date of completion of this report 

03 April 2001 (03.04.2001) 


Name and mailing address of the IPEA/EP 
Facsimile No. 


Authorized officer 
Telephone No. 



Form PCT/IPEA/409 (cover sheet) (July 1998) 



INTERNATIONAL PRELIMINARY EXAMINATION REPORT 



international application No. 

PCT/FROO/00189 



I. Basis of the report 



1. With regard to the elements of the international application:* 
| | the international application as originally filed 

tne description: 

pages 1-36 

pages 

pages 



, as originally filed 



filed with the demand 



, filed with the letter of 



^ the claims: 

pages 

pages 

pages 

pages 



13 



, as originally filed 

, as amended (together with any statement under Article 19 

, filed with the demand 



1-12 



, filed with the letter of 



the drawings: 

pages 

pages 

pages 



1/4-4/4 



10 January 2001 (10.01.2001) 



, as originally filed 



, filed with the demand 



_ , filed with the letter of 



| | the sequence listing part of the description: 

pages 

pages 

pages 



, as originally filed 



, filed with the demand 



.filed with the letter of 



2. With regard to the language, all the elements marked above were available or furnished to this Authority in the language in which 
the international application was filed, unless otherwise indicated under this item. 

These elements were available or furnished to this Authority in the following language which is: 

| | the language of a translation furnished for the purposes of international search (under Rule 23. 1 (b)). 
| | the language of publication of the international application (under Rule 48.3(b)). 

| | the language of the translation furnished for the purposes of international preliminary examination (under Rule 55.2 and/ 
or 55.3). 

3. With regard to any nucleotide and/or amino acid sequence disclosed in the international application, the international 
preliminary examination was carried out on the basis of the sequence listing: 

| 1 contained in the international application in written form. 

[ | filed together with the international application in computer readable form. 

I | furnished subsequently to this Authority in written form. 

| | furnished subsequently to this Authority in computer readable form. 

| | The statement that the subsequently furnished written sequence listing does not go beyond the disclosure in the 
international application as filed has been furnished. 

[ | The statement that the information recorded in computer readable form is identical to the written sequence listing has 
been furnished. 



4. 



The amendments have resulted in the cancellation of: 

I | the description, pages 

[X] the claims, Nos. 13 

I | the drawings, sheets/fig 



I I This report has been established as if (some of) the amendments had not been made, since they have been considered to go 
I — I beyond the disclosure as filed, as indicated in the Supplemental Box (Rule 70.2(c)).** 

* Replacement sheets which have been furnished to the receiving Office in response to an invitation under Article 14 are referred to 
in this report as "originally filed" and are not annexed to this report since they do not contain amendments (Rule 70.16 
and 70.17). 

** Any replacement sheet containing such amendments must be referred to under item 1 and annexed to this report. 
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V. Reasoned statement under Article 35(2) with regard to novelty, inventive step or industrial applicability; 
citations and explanations supporting such statement 



1 . Statement 

Novelty (N) 



Inventive step (IS) 



Industrial applicability (IA) 



Claims 
Claims 

Claims 
Claims 

Claims 
Claims 



1-12 



1-12 



1-12 



YES 
NO 
YES 
NO 

YES 
NO 



Citations and explanations 

The invention relates to a method (Claim 1) for producing 
prime factors whereof the product constitutes a public 
module necessary for implementing a protocol designed to 
prove the authenticity of an entity, and/or the integrity 
of a message associated with said entity, to a verifier 
entity. The invention also relates to the use (Claim 10) 
of the method for producing prime factors in such a 
protocol . 

Prior art: 



Dl (EP-A-0 311 470) describes such a protocol according to 
which an entity known as "trusted authority" attributes an 
identity to each so-called "witness" entity, and 
calculates the RSA signature thereof. During a 
customization process, the trusted authority gives the 
witness an identity and signature. Subsequently, the 
witness states: "This is my identity; I know the RSA 
signature thereof" . The witness proves that it knows the 
RSA signature of its identity without revealing said 
signature. The public RSA verification key distributed by 
the trusted authority enables a so-called "verifier" 
entity verifies that the RSA signature matches the stated 
identity, without the signature being disclosed to said 
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entity. The mechanisms using this protocol operate 
"without knowledge transf er" : the witness does not know 
the private RSA key with which the trusted authority signs 
a large number of identities. 



Problem: 



The use of RSA technology makes the authentication 
protocol sensitive to "multiplicative" attacks. 
Furthermore, the workload associated with the arithmetic 
operations in the protocol according to Dl leads to long 
calculation times. 



Invention : 



The method according to Claim 1 produces particular prime 
factors, the product of which constitutes a public module 
n, while respecting the conditions mentioned in the claim. 
Said public module n is used in an authentication protocol 
defined in Claim 10. 



None of the documents cited in the international search 
report discloses or suggests the features for determining 
prime factors such as those defined in Claim 1. Moreover, 
said prime factors lead to the calculation of a public 
module n that can be used in an authentication protocol 
that avoids the disadvantages of the protocol according to 
Dl. The subject matter of Claim 1 therefore involves an 
inventive step (PCT Article 33(3)). 

Claim 10 relates to an authentication protocol that uses a 
public module n consisting of the product of prime factors 
predetermined by the method according to Claim 1. Said 
claim therefore meets the requirements of PCT Article 33. 



Form PCT/IPEA/409 (Box V) (January 1994) 



INTERNATIONAL PRELIMINARY EXAMINATION REPORT 



_i itui.o».». "KK' * ' — 

PCT/FR 00/00189 



Claims 2 to 9 and 11 to 12 are dependent on Claims 1 and 
10, respectively, and therefore also meet, as such, the 
PCT requirements of novelty and inventive step. 
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VII. Certain defects in the international application 

The following defects in the form or contents of the international application have been noted: 

The pending applications set forth on page 36 of the 
description have not been identified by their application 
or publication numbers (PCT Examination Guidelines, II 
4.17) . 
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TOADIED OOPERATOON EN RflATlERE DE . .EVETS 

POT 



RAPPORT DE RECHERCHE INTERNATIONALE 



(article 18 et regies 43 et 44 du PCT) 



Reference du dossier du deposant ou 
du mandataire 

5971. WO 


POUR SUITE voir 18 notification de transmission du rapport de recherche intemationale 
(formulaire PCT/ISA/220) et, le cas echeant, le point 5 ct-apres 

A DOWNER 


Demande intemationale n° 

PCT/FR 00/00189 


Date du depot \ntemationa\(jour/mois/ann6e) 

27/01/2000 


(Date de priorite (la plus anctenne) 
(jour/mois/annde) 

27/01/1999 



Deposant 



FRANCE TELECOM et al 



Le present rapport de recherche intemationale, etabli par radministration charges de la recherche intemationale, est transmis au 
deposant conformement a I'article 18. line copie en est transmtse au Bureau international. 

Ce rapport de recherche intemationale comprend 3 feuiiles. 

[X| II est aussi accompagne cf une copie de cheque document re(atif a I'etat de la technique qui y est cite. 



1. Base du rapport 

a. En ce qui conceme la lengue, la recherche intemationale a ete effectuee sur la base de la demande intemationale dans la 
langue dans laquelle elle a ete deposee, sauf indication contraire donnee sous le meme point 

[ [ la recherche intemationale a ete effectuee sur la base cf une traduction de la demande intemationale remise k ['administration. 

b. En ce qui conceme les sequences de nucleotides ou decides amines dh/ukjuees dans la demande intemationale (le cas echeant), 
la recherche intemationale a ete effectuee sur la base du listage des sequences : 

[ | contenu dans la demande intemationale, sous forme ecrite. 

| [ deposes avec la demande intemationale, sous forme dechiffrable par ordinateur. 

| | remis ulterieurement a, radministration, sous forme ecrite. 

| | remis ulterieurement a. radministration, sous forme dechiffrable par ordinateur. 

| | La declaration, selon laquelle le listage des sequences presente par ecrit et fbumi ulterieurement ne vas pas au-dela. de la 
dvulgation faite dans la demande telle que deposes, a ete foumie. 

| | La declaration, selon laquelle les informations enregistrees sous forme dechiffrable par orcfinateur sont identiques k celles 
du listage des sequences presente par ecrit, a ete foumie. 

2. Q 11 a et© estlme que certalnes revindications ne pouvalenf pas fail re I'objeft d'un® recherche (voir le cadre I). 

3. Q II y a absence d'unlto de rinvention (voir le cadre II). 

4. En ce qui conceme le ttfre, 

|X| le texte est approuve tel qull a ete remis par le deposant 
P"| Le texte a ete etabli par radministration et a la teneur survante: 



5. En ce qui conceme l'&br$ge, 

[ — [ le texte est approuve tel qu'il a ete remis par le deposant 

ry*| le texte (reproduit dans le cadre III) a ete etabli par radministration conformement k la regie 38.2b). Le deposant peut 
1*1 presenter des observations a. radministration dans un delai (fun mois k compter de la date cf expedition du present rapport 
de recherche Internationale. 

6. La figure dee deselns k pubfier avec 1'abrege est la Figure n° 



I I suggeree par le deposant. I I Aucune des figures 
y c n'est a publier. 

parce que le deposant n a pas supers de figure. 

| | parce que cette figure caracterise mieux rinvention. 



T/trmMlaina DTT/IQA/OIH Inmmi^Q foiultat /ii till At IGfiA* 
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Cadre III TEXTE DE L'ABREGE (suite du point 5 de la premiere feuille) 



Abrege 

La preuve est etablie au moyen des parametres suivants: 

- un module public n constitue par (e produit de f facteurs premiers p., f>2, 

- un exposant public v, 

- m nombres de base g„ m>1 . 

Les nombres de base g, sont tels que les deux equations: 
x 2 s g. mod n et x 2 = -g, mod n 
n'ont pas de solution en x dans I'anneau des entiers modulo n, et tel que ('equation 

x v = g, 2 mod n 

a des solutions en x dans I'anneau des entiers modulo n dans le cas. ou I'exposant public v 
est de la forme 

v = 2" 

ou k est un parametre de securite. 
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A. CLASSEMENT DE L'OBJET DE LA DE MANDE 

CIB 7 H04L9/32 








Selon fa classification international© dee brevets (CIB) ou a la fo» selon la dassification nationals et la CIB 




B. DOMAINES SUR LESQUELS LA RECHERCHE A PORTE 


Documentation minim ale consultee (systems de classification suivl des symboles de classement) 

CIB 7 H04L 


Documentation consultee autre que la documentation minimaie dans la mesure ou ces documents relevent des domaines sur lesquels a porta la recherche 


Base de donnees electron Ique consultee au cours de la recherche internationale (nom de la base de donnees, et si realisable, termes de recherche utilises) 


C. DOCUMENTS CONSIDERES COMME PERTINENTS 


Categorie ° 


Identification des documents cites, avec, le cas echeant, Hncfication des passages pertinents 


no. des revendications vteees 


X 


EP 0 311 470 A (TELEDIFFUSION FSE ; FRANCE 

ETAT (FR); PHILIPS NV (NL)) 

12 avril 1989 (1989-04-12) 

cite dans la demande 

colonne 2, ligne 40 -colonne 3, ligne 50 


1,6,7 


X 


EP 0 381 523 A (TOKYO SHIBAURA ELECTRIC 

CO) 8 aoQt 1990 (1990-08-08) 

page 2, colonne 25, ligne 3 -page 7 


1,5 


□ ™ r 


la suite du cadre C pour la fin de la Bste des documents 


|y | Les documents de families de brevets sont indlques en annexe 


• Categories specials de documents cites: 

'A* document definissant I'etat general de la technique, non 

considere com me particulierement pertinent 
'E" document anterieur, mais pubtie a la date de depot international 

ou apres cette date 
"L" document pouvant jeter un doute sur une revencfication de 

priorite ou cite pour determiner la date de publication cfune 

autre citation ou pour une raison specials (telle qu'lndiquee) 
"0" document se referent a une divulgation orate, a un usage, a 

une exposition ou tous autres moyens 
■P' document publie avant la date de depot international, mats 

posterleurement a la date de priorite revendiquee 


T m document ulterieur pubile apres la date de depot international ou la 
date de priorite et n'appartenenant pas a I'etat de la 
technique pertinent, mais cite pour oomprendre le principe 
ou la theorie constituant la base de (Invention 

•X" document particulierement pertinent; Tinven tion revendiquee ne peut 
etre consideree comme nouvelle ou comme impliquant une actlvite 
inventive par rapport au document considere isolement 

*Y" document particulierement pertinent; I'inven tion revendiquee 
ne peut etre consideree comme Impliquant une actMte inventive 
loreque le document est asaocie a un ou plusieurs autres 
documents de meme nature, cette combinafeon etant evidente 
pour une pereonne du metier 

document qui fait partie de la meme famitle de brevets 


Date a laquelle la recherche internationale a ete effectivement achevee 




Date d*expeo1tton du present rapport de recherche Internationale 


28 mars 2000 




19/04/2000 




Nom et adr 


esse postale de 1'adninistration chargee de la recherche Internationale 
Office European des Brevets, P.B. 5618 Patentlaan 2 
NL-2280HV Rijswfjk 
Tel. (+31-70) 340-2040. Tx. 31 651 epo nl, 
Fax: (+31-70) 340-3016 


Fonctionnalre autorfee 

Masche, C 



manae imomaitonate no 

Rensalgnemento r*4attfs a /mbresde families cto brevets 
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Document brevet cite 




Datede 


Membre(s) de la 


Datede 


au rapport de recherche 




publication 


famille de brevets) 


publication 


tr vol m/v 


A 


i^-u**— lyoy 


FR 


2620248 A 


10-03-1989 








AT 


83573 T 


15-01-1993 








AU 


2197188 A 


Z3-03-1989 








CA 


1295706 A 


1 1 AO 1 ftftO 

11-0Z-199Z 








DE 


3876741 A 


28-01-1993 








FI 


884082 A,B, 


AO AO 1 AOA 

08-03-1989 








JP 


1133092 A 


OC AC 1 AOA 

25-05-1989 








KR 


9608209 B 


20-06-1996 








US 


5218637 A 


08-06-1993 








US 


5140634 A 


1 O AO 1 AAO 

18-08-1992 


tr vooiodo 


A 

A 


uo-uo— iyyu 


ID 

Jr 


ZZQ4/68 A 


1 A AO 1 AAA 

14-08-1990 








JP 


3053367 A 


f\7 AO 1AA1 

07-03-1991 








US 


5046094 A 


03-09-1991 








JP 


3073990 A 


28-03-1991 








JP 


3072737 A 


27-03-1991 
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tarnational Application No 

PCT/FR 00/00189 



A. CLASSIFICATION OF SUBJECT MATTER 

IPC 7 H04L9/32 



According to Internationa) Patent Classification (IPC) or to both national classification and IPC 



B. FIELDS SEARCHED 



Minimum documentation searched (classification system followed by classification symbols) 

IPC 7 H04L 



Documentation searched other than minimum documentation to the extent that such documents are included in the fields searched 



Electronic data base consulted during the international search (name of data base and, where practical, search terms used) 



C. DOCUMENTS CONSIDERED TO BE RELEVANT 



Category 0 Citation of document, with indication, where appropriate, of the relevant passages 



Relevant to claim No. 



EP 0 311 470 A (TELEDIFFUSION FSE ; FRANCE 

ETAT (FR); PHILIPS NV (NL)) 

12 April 1989 (1989-04-12) 

cited in the application 

column 2, line 40 -column 3, line 50 

EP 0 381 523 A (TOKYO SHIBAURA ELECTRIC 
CO) 8 August 1990 (1990-08-08) 
page 2, column 25, line 3 -page 7 



1,6,7 



1,5 



□ 



Further documents are listed In the continuation of box C. 



| Patent family members are listed in annex. 



0 Special categories of cited documents : 

*A" document defining the general state of the art which is not 

considered to be of particular relevance 
•E° earlier document but published on or after the international 

filing date 

V document which may throw doubts on priority claim(s) or 
which Is cited to establish the publication date of another 
citation or other special reason (as specified) 

"O" document referring to an oral disclosure, use, exhibition or 
other means 

"P° document published prior to the international filing date but 
later than the priority date claimed 



T° later document published after the intemationaJ filing date 
or priority date and not in conflict with the application but 
cited to understand the principle or theory underlying the 
invention 

'X° document of particular relevance; the claimed invention 
cannot be considered novel or cannot be considered to 
involve an inventive step when the document is taken alone 

*Y° document of particular relevance; the claimed invention 
cannot be considered to involve an inventive step when the 
document Is combined with one or more other such docu- 
ments, such combination being obvious to a person skilled 
in the art. 

document member of the same patent family 



Date of the actual completion of the intemationaJ search 



28 March 2000 



Date of mailing of the international search report 



19/04/2000 



Name and mailing address of the ISA 

European Patent Office, P.B. 561 8 Patentlaan 2 
NL - 2280 HV Rljswljk 
Tel. (+31-70) 340-2040, Tx. 31 651 epo nl, 
Fax: (+31-70)340-3016 



Authorized officer 



Plasche, C 



mat km on patent family members 



arnational Application No 

PCT/FR 00/00189 



Patent document 


Publication 




Patent family 


Publication 


cited in search report 


date 




members) 


date 


EP 0311470 A 


12-04-1989 


FR 


2620248 A 


10-03-1989 






AT 


83573 T 


15-01-1993 






AU 


2197188 A 


23-03-1989 






CA 


1295706 A 


11-02-1992 






DE 


3876741 A 


28-01-1993 






FI 


884082 A,B, 


08-03-1989 






JP 


1133092 A 


25-05-1989 






KR 


9608209 B 


20-06-1996 






US 


5218637 A 


08-06-1993 






US 


5140634 A 


18-08-1992 



EP 0381523 


A 


08-08-1990 


JP 


2204768 A 


14-08-1990 








JP 


3053367 A 


07-03-1991 








US 


5046094 A 


03-09-1991 








JP 


3073990 A 


28-03-1991 








JP 


3072737 A 


27-03-1991 
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RAPPORT D'EXAMEN PRELIMINAIRE DNTE 
(article 36 et regie 70 du PCT) 




Reference du dossier du deposant ou du 
mandataire 

5971. WO 


voir la notification de transmission du rapport d'examen 
POUR SUITE A DONNER preliminaire international (formulaire PCT/IPEA/416) 


Demande Internationale n° 
PCT/FR00/00189 


Date du depot international (jour/mois/ann6e) 
27/01/2000 


Date de priorite (jour/mois/ann£e) 
27/01/1999 


Classification Internationale des brevets (CIB) ou a !a fois classification nationale et CIB 
H04L9/32 


Deposant 

FRANCE TELECOM et al. 



1. Le present rapport d'examen preliminaire international, etabli par I'administaration chargee de I'examen preliminaire 
international, est transmis au deposant conformement a I'article 36. 

2. Ce RAPPORT comprend 5 feuilles, y compris la presente feuille de couverture. 

Kl || est accompagne d'ANNEXES, c'est-a-dire de feuilles de la description, des revendications ou des dessins qui ont 
ete modifiees et qui servent de base au present rapport ou de feuilles contenant des rectifications faites aupres de 
1'administration chargee de I'examen preliminaire international (voir la regie 70.16 et Instruction 607 des Instructions 
administratives du PCT). 

Ces annexes comprennent 8 feuilles. 



3. Le present rapport contient des indications relatives aux points suivants: 
I E9 Base du rapport 



d'application industrielle 
Absence d'unite de ('invention 

Declaration motivee selon ('article 35(2) quant a la nouveaute, I'activite inventive et la possibility 
d'application industrielle; citations et explications a I'appui de cette declaration 

Certains documents cites 

Irregularites dans la demande internationale 



II 


□ 


III 


□ 


IV 


□ 


V 




VI 


□ 


VII 




VIII 


□ 



Date de presentation de la demande d'examen preliminaire 
internationale 

19/07/2000 



Date d'achevement du present rapport 
03.04.2001 



Nom et adresse postale de I'administration chargee de 
I'examen preliminaire international: 
Office europeen des brevets 

D-80298 Munich 
Tel. +49 89 2399 - 0 Tx: 523656 epmu d 

Fax: +49 89 2399 - 4465 



Fonctionnaire autorise 
Cretaine, P 

N° de telephone +49 89 2399 8828 




RAPPORT D'EXAMEN 
PRELIMINAIRE INTERNATIONAL 



Demande intemationale n° PCT/FROO/00 1 89 



I. Base du rapport 

1 . En ce qui concerne les elements de la demande intemationale (les feuilles de remplacement qui ont et£ remises 
a I'office recepteur en reponse a une invitation faite conformement a I'article 14 sont considerees dans ie present 
rapport comme "initialement deposees" et ne sont pas jointes en annexe au rapport puisqu'efles ne contiennent 
pas de modifications (regies 70. 16 et 70. 17)): 

Description, pages: 

1-36 version initiale 

Revendications, N°: 

13 version initiale 

1-12 re$ue(s)le 10/01/2001 avec la lettre du 09/01/2001 

Dessins, feuilles: 

1/4-4/4 version initiale 



2. En ce qui concerne la langue, tous les elements indiques ci-dessus etaient a la disposition de Tadministration ou 
lui ont ete remis dans la langue dans laquelle la demande intemationale a ete d£posee, sauf indication contraire 
donnee sous ce point. 

Ces elements etaient a la disposition de I'administration ou lui ont ete remis dans la langue suivante: , qui est : 

□ la langue d'une traduction remise aux fins de la recherche Internationale (selon la regie 23.1(b)). 

□ la langue de publication de la demande intemationale (selon la regie 48.3(b)). 

□ la langue de la traduction remise aux fins de I'examen preliminaire intemationale (selon la regie 55.2 ou 
55.3). 

3. En ce qui concerne les sequences de nucleotides ou d'acide amines divulgu£es dans la demande 
intemationale (le cas echeant), I'examen preliminaire intemationale a ete effectue sur la base du listage des 
sequences : 

□ contenu dans la demande intemationale, sous forme 6crite. 

□ depose avec la demande intemationale, sous forme dechiffrable par ordinateur. 

□ remis ulterieurement a I'administration, sous forme 6crite. 

□ remis ulterieurement a I'administration, sous forme dechiffrable par ordinateur. 

□ La declaration, selon laquelle le listage des sequences par 6crit et fourni ulterieurement ne va pas au-del& 
de la divulgation faite dans la demande telle que d§posee, a et£ fournie. 

□ La declaration, selon laquelle les informations enregistr6es sous dechiffrable par ordinateur sont identiques k 
celles du listages des sequences Pr£sent§ par 6crit, a 6t6 fournie. 
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Demande internationale n° PCT/FR00/001 89 



4. Les modifications ont entraine I'annulation : 

□ de la description, pages : 

H des revendications, n 05 : 13 

□ des dessins, feuilles : 

5. □ Le present rapport a §te formule abstraction faite (de certaines) des modifications, qui ont 6te considerees 

comme allant au-dela de ('expose de Tinvention tel qu'il a ete depose, comme il est indiqu6 ci-apres (r§gle 
70.2(c)) : 

(Toute feuille de remplacement comportant des modifications de cette nature doit etre indiquee au point 1 et 
annexee au present rapport) 



6. Observations complementaires, le cas §cheant : 



V. Declaration motivee seton I'article 35(2) quant a la nouveaute, I'activite inventive et la possibility 
d'application industrielle; citations et explications a I'appui de cette declaration 

1. Declaration 

Nouveaute Oui : Revendications 1-12 

Non : Revendications 

Activite inventive Oui: Revendications 1-12 

Non : Revendications 

Possibility d'application industrielle Oui: Revendications 1-12 

Non : Revendications 



2. Citations et explications 
voir feuille separee 



VII. Irregularites dans la demande internationale 

Les irregularites suivantes, concernant la forme ou le contenu de la demande internationale, ont ete constatees : 
voir feuille separee 
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Concernant le point V 

Declaration motivee selon Particle 35(2) quant a la nouveaute, I'activite inventive et la 
possibility d'application industrielle; citations et explications a I'appui de cette 
declaration 

Uinvention concerne un procede (revendication 1) permettant de produire les 
facteurs premiers dont le produit constitue un module public necessaire a la mise 
en oeuvre d'un protocole destine a prouver a une entite controleur I'authenticite 
d'une entite et/ou I'integrite d'un message associe a cette entite. Elle concerne 
aussi I'utilisation (revendication 10) du procede de production des facteurs 
premiers dans un tel protocole. 

Etat de la technique: 

D1 = EP-A-0 31 1 470 decrit un tel protocole selon lequel une entite appelee 
"autorite de confiance" attribue une identite a chaque entite appelee "temoin" et 
en calcule la signature RSA ; durant un processus de personnalisation, I'autorite 
de confiance donne identite et signature au temoin. Par la suite, le temoin 
proclame : "Void mon identite ; j'en connais la signature RSA.". Le temoin prouve 
sans la reveler qu'il connait la signature RSA de son identite. Grace a la cle 
publique de verification RSA distribute par I'autorite de confiance, une entite 
appelee "controleur" verifie sans en prendre connaissance que la signature RSA 
correspond a I'identite proclamee. Les mecanismes utilisant ce protocole se 
deroulent "sans transfert de connaissance": le temoin ne connait pas la cle privee 
RSA avec laquelle I'autorite de confiance signe un grand nombre d'identites. 

Probleme: 

Utilisation de la technologie RSA rend le protocole d'authentification sensible aux 
attaques dites "multiplicatives"; d'autre part la charge de travail liee aux 
operations arithmetiques dans le protocole selon D1 entraine des temps de 
calculs importants. 



Invention: 
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Le procede selon la revendication 1 permet la production de facteurs premiers 
particuliers, respectant les conditions mentionnees dans la revendication, dont le 
produit constitue un module public n. Ce module public n est utilise dans un 
protocole d'authentification defini dans la revendication 1 0. 

Aucun des documents cites dans le rapport de recherche international ne divulgue 
ou suggere les caracteristiques de determination des facteurs premiers telles que 
definies dans la revendication 1 . De plus ces facteurs premiers permettent le 
calcule d'un module public n utilisable dans un protocole d'authentification evitant 
les inconvenients du protocole selon D1 . L'objet de la revendication 1 implique par 
consequent une activite inventive (article 33(3) PCT). 

La revendication 10 concerne un protocole d'authentification utilisant un module 
public n constitue par le produit de facteurs premiers determines par le procede 
selon la revendication 1 . Elle remplit done de ce fait les conditions de I'article 33 
PCT. 

Les revendications 2 a 9 et 1 1 a 12 dependent respectivement des revendications 
1 et 10 et satisfont done egalement, en tant que telles, aux conditions requises 
par le PCT en ce qui concerne la nouveaute et I'activite inventive. 



Concernant le point VII 

Irregularites dans la demande internationale 

Les demandes pendantes evoquees a la page 36 de la description ne sont pas 
identifies par leurs numeros de demande ou de publication (Directives PCT, 
114.17). 
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Revendicatioms 

1. Procede permettant de produire les f facteurs premiers p v pj, ... p f 
d'un protocole destine a prouver a une entity controleur, 

- P authenticity d'une entite et/ou 

- Pintegrite d'un message M associe a cette entite, 

au moyen d'un module public n constitue par le produit desdits f facteurs 
premiers p 19 p 25 ... p f , f etant superieur ou egal a 2 y ou au moyen des f 
facteurs premiers ; 

ledit procede comprenant Petape de produire lesdits f facteurs premiers p 1? 
P2? ••• Pf ? en respectant les conditions suivantes : 

0 aucune des deux equations (1) et (2) : 

x^gmodii et fs-gmodn 
n'a de solution en x dans Panneau des entiers modulo n, 

°Pequation (3): 

x v = gj 2 mod n 

a des solutions en x dans Panneau des entiers modulo n ; 

Si» g25 — g m designant m nombres de base entiers, distincts, m etant 

superieur ou. egal k 1 ; 

v designant un exposant public de la forme : 

v = 2 k 

ou k est un parametre de securite plus grand que 1 ; 
ledit procede comprenant Petape de choisir en premier ; 

0 le parametre de securite k 

* les m nombres de base g v g v . . . g m> 

0 la taille du module m, 

0 la taille des f facteurs premiers p v p^, . . . p f - 
2. Procede selon la revendication 1 tel que les m nombres de base g x , 
gv gm? sont choisis au moins en partie parmi les premiers nombres 
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entiers. 

3. Procede selon Tune quelconque des revendications 1 ou 2, tel que 
le parametre de securite k est un petit nombre entier, notamment inferieur k 
100. 

5 4o Procede selon Tune quelconque des revendications 1 a 3, tel que la 

taille du module n est superieure a plusieurs centaines de bits. 

5. Procede selon Tune quelconque des revendications 1 a 4, tel que 

les f facteurs premiers p v p^ ... p f ont une taille voisine de la taille du 

module n divise par le nombre f de facteurs. 
10 6o Procede selon Tune quelconque des revendications 1 a5, tel que 

parmi les f facteurs premiers p v p v . . . p f 

- on choisit un nombre e de facteurs premiers congrus a 1 modulo 4, e 
pouvant etre nul (dans le cas ou e est mil le module n sera ci-apres qualifie 
de module basique, dans le cas ou e > 0 le module n sera ci-apres qualifie de 

15 module mixte), 

- les f-e autres facteurs premiers sont choisis congrus a 3 modulo 4, f- 
e etant au moins egal k 2. 

7. Procede selon la revendication 6 tel que pour produire les f-e 
facteurs premiers p 1? , p v . . . congrus a 3 modulo 4, 
20 on met en oeuvre les etapes suivantes : 

- on choisit le premier facteur premier p x congru k 3. modulo 4, 

- on choisit le deuxieme facteur premier p 2 tel que p 2 soit 
complementaire de ip x par rapport au nombre de base g u 

- on choisit le facteur p M en procedant comme suit en distinguant 
25 deux cas : 

(1) Casoui>m 
° on choisit le facteur p w congru a 3 modulo 4, 

(2) Cas ou i< m 
° on calcule le profil (Profil^gj)) de gj par rapport aux i 
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premiers facteurs premiers p„ 

• si le ProfiljCgj) est plat, on choisit le facteur p w tel que p i+1 soit 
complementaire de pj par rapport a gj, 

0 sinon, on choisit parmi les i-1 nombres de bases g l3 g 2 , ... g M et 
toutes leurs combinaisons multiplicatives le nombre, ci-apres denomme g, 
tel que Profilj(g) = Profi!,(gj), on choisit ensuite p J+1 tel que Profil }+1 (gj) * 
Profil i+1 (g), 

(les expressions "complementaire", "profil", "profil plat" ayant le sens 
defini dans la description). 

8. Proc6de selon la revendication 8 tel que pour choisir le dernier 
facteur premier p f ^on procede comme suit, en distinguant trois cas : 

(1) Cas ou f-e-1 >m 

° on choisit p fHS congru a 3 modulo 4, 

(2) Cas ou f-e-1 = m 

•on calcule Pirofil^gJ par rapport aux f-e-1 premiers 
facteurs premiers, de pj a p^ 

• ° si Profile (gj est plat, on choisit p,,^ tel qu'il soit 
complementaire de p, par rapport a g m , 

° 0 sinon, 

° ° ° on choisit parmi les m-1 nombres de bases 
de Si ^ g m .i et toutes leurs combinaisons multiplicatives le nombre, ci-apres 
denomme g, tel que Profil^) = Profiles), puis 

° 0 ° on choisit ensuite p^ tel que Profil f ^(g) * 

FroflWgJ. 

(3) Cas ou f-e^-1 < m 

° on choisit p fH5 tel que les deux conditions suivantes soient 

satisfaites : 

(3.1) Premiere condition, 

°on calcule Profile, (g^,) par rapport aux f-e-1 premiers 
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facteurs premiers, de p x a p Mt 

° • si Frofi^^^g^) est plat, on choisit p f . e tel qu'il 
satisfasse a la premiere condition d'etre complementaire de p x par rapport a 

gf-e-1, 

° 0 sinon, 

° ° 0 on choisit parmi les f-e-1 nombres de bases 
de g 2 a g mA et toutes leurs combinaisons multiplicatives le nombre, ci-apres 
denomme g 9 tel que Profil^g) = Profil^fe^), puis 

° * ° on choisit ensuite p^tel qu'il satisfasse a la 
premiere condition d'etre tel que Profil f . e (g) & Profil^^), 
(3.2) Deuxieme condition, 

° on selectionne panrd Tensemble des derniers nombres de bases 
de g f-e a g m ceux dont le profil Profile (&) est plat, puis 

* on choisit p f-e tel qu'il satisfasse a la deuxieme condition d'etre 
complementaire de p x par rapport a chacun des nombres de bases ainsi 
selectionnes. 

9 Procede selon les revendications 7 ou 8 tel que pour produire les e 
facteurs premiers congrus a 1 modulo 4, on evalue chaque candidal facteur 
premier p , de p fHS a p f , en lui faisant subir les deux tests successifs suivants 

(1) Premier test 

- on calcule le symbole de Legendre de chaque nombre de base g { f de 

Si * g m > par rapport au facteur premier p candidat, 

° si le symbole de Legendre est egal k -1, on rejette le candidat p, 
° si le . symbole de Legendre est egal a +1, on poursuit 

1'evaluation du candidat p en passant au nombre de base suivant, puis 

lorsque le dernier nombre de base a ete pris en compte on passe au 

deuxieme test, 

(2) Deuxieme test, 
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- on calcule un nombre entier t tel que p-1 est divisible par 2 X mais pas 
par 2* 1 , puis 

- on calcule un entier s tel que s = (p-l+l*)^** 1 9 

- on applique la cle (s, p) a chaque valeur publique Gipour obtenir un 
5 resultat r 

r = Gj s modp 

° si r est egal a g { ou - g { , on poursuit le deuxieme test en 
passant a la valeur publique G i+1 suivante, 

° si r est different de g { ou - g s , on calcule un facteur u en 
10 appliquant Palgorithme suivant : 

° ° Palgorithme consiste a repeter la sequence suivante pour un 
indice ii allant de 1 a t-2 : 

° ° Talgorithine met en oeuvre deux variables : w initialisee par r 
et jj = 2" prenant des valeurs allant de 2 a 2 X ' 2 , ainsi qu'un nombre b 
15 obtenu par l'application de la cle { (p-l)/2 l , p) a un residu non quadratique 

de CG(p), puis, on itere les etapes 1 et 2 suivantes, 

° * ° etape 1 : on calcule wVG^modp), 

o o o etape 2 : on 61eve le resultat a la puissance 2 t """ 1 

° o o o ^ on obtient +1 , on poursuit le deuxidme test 
20 en passant a la valeur publique G i+1 suivante, 

° a o o si on obtient -1, on calcule jj = 2 U , puis on 
remplace w par w.b 2 (mod p), puis on poursuit Palgorithme pour la valeur 
suivante de Pindice ii, 

° * a Tissue de Palgorithme, la valeur figurant dans la variable j 
25 pennet de calculer im nombre entier u par la relation jj= 2*™ , puis on 

calcule P expression t-u, deux cas se pr6sentent : 

° ° * si t-u < k , on rejette le candidat p 
° ° ° si t-u ^ k, on continue revaluation du candidat p en 
poursuivant le deuxieme test en passant h la valeur publique G M suivante, 
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le candidal p est accepte comme facteur premier congru a 1 modulo 4 si a 
Tissue du deuxieme test, pour toutes les m valeurs publiques G t , il n'a pas 
ete rejete. 

10. Protocole faisant application du procedS selon Tune quelconque 
5 des revendications 1 a 9 ; ledit protocole etant destine a prouver k une 

entite controleur, 

- 1' authenticity d'une entite et/ou 

- Tintegrite d'un message M associe a cette entite, 

au moyen de m couples de valeurs privees Q 19 Q 29 ... Q ra et publiques G v 
10 G 29 <>.♦ G ra5 ou des parametres derives de ceux-ci ; 

ledit module et lesdites valeurs etant lies par des relations du type : 
G|. Qj v = 1 . mod n ou G, s Q^mod n ; 

ladite valeur publique G| etant le carre gj 2 du nombre de base g { inferieur 

aux f facteurs premiers Pj» p 2 , • . • p f ; 
is ledit protocole mettant en oeuvre selon les etapes suivantes une entite 

appelee temoin disposant des f facteurs premiers pj et/ou des parametres des 

restes chrnois des facteurs premiers et/ou du module public n et/ou des m 

valeurs privees Q, et/ou des £m composantes Q u s (Q u = Q { mod pj) des 

valeurs privees Q { et de Fexposant public v ; 
20 - le temoin calcule des engagements R dans l'anneau des entiers 

modulo n ; chaque engagement etant calcule : 
° soit en effectuant des operations du type 

R = r v mod n 

ou restun alea tel que 0 < r< a 5 

25 o SOit 

00 en effectuant des operations du type 
Risr^modpj 

ou r { est un alea associe au nombre premier pj tel que 0 < r, < pj , chaque r, 
appartenant k une collection d'aleas {r 1 , r 2 , ... r f } , 
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00 puis en appliquant la methode des restes chinois ; 

- le temoin repoit un on plusieurs defis d ; chaque defi d comportant m 
entiers d| ci-apres appeles defis elementaires ; le temoin calcule k partir de 
chaque defi d une reponse B, 

5 0 soit en effectuant des operations du type : 

Dsr.Qj dl oQ 2 d2 o..oQ m dm modn 

0 soit 

00 en effectuant des operations du type : 

»i = r, . % * . * . . . mod R 
10 00 puis en appliquant la methode des restes chinois ; 

ledit procede etant tel qu'il y a autant de reponses D que de defis d que 
d' engagements R, chaque groupe de nombres R, d 5 B constituant un 
triplet note {R, d ? D}. 

11. Procede selon la revendication 10 tel que pour mettre en oeuvre 
15 les couples de valeurs privees Q 19 Q 2 , ... Q m et publiques G v G 2? ... G m , on 

utilise les facteurs premiers p v ••• Pf et/ou les parametres des restes 
chinois, les nombres de bases g 19 g 29 ... g m et/ou les valeurs publiques G l9 
G 29 oo. G m pour calculer : 

- soit les valeurs privees <Q> 19 Q 29 ... Q m en extrayant une k ieme racine 
20 carree modulo n de G t , ou en prenant Pinverse d'une k ieme racine carr6e 

modulo m de Gj , 

- soit les im composantes privees j des valeurs privees Q 19 Q 29 ... 
Q m , telles que Q u s Q. (mod p,) , 

12 Procede selon la revendication 11 tel que pour calculer les £m 
25 composantes privees Q i(j des valeurs privees Q 19 Q 2S ... Q m : 

- on applique la cle (s, pj ) pour calculer 2 tel que 

zsG| S (modpj) 

- on utilise les valeurs t et u 
0 calculees comme indique ci-dessus dans le cas ou pj est congru 
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a 1 modulo 4 et 

° prises respectivement egales a 1 (t=l) et 0 (u=0) dans le cas ou 
Pj est congru a 3 modulo 4, 

° ° si u est nul on considere r ensemble des nombres zz tels que : 
° 0 0 zz soit 6gale k z ou tel que 

0 0 0 zz soit egale au produit (mod pj) de z par chacune des 
racines 2 H iemes primitives de Tunite, ii allant de 1 a min(k,t) , 

0 ° si hi est positif on considere l'ensemble des nombres zz tels 
que zz soit egale au produit (mod pj) de za par chacune des 2 k racines 2 k 
iemes de Tunite, za designant la valeur de la variable w a Tissue de 
1'algorithme mis en oeuvre dans la revendication 10, 

- on en deduit au moins une valeur de la composante i elle est 
egale a zz lorsque V equation G s s Q. v mod n est utilisee ou bien elle est 
egale a Pinverse de zz modulo pj de zz lorsque T equation G £ . Q* s 1 . mod 
n est utilisee. 
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(54) Device and method for authenticating user's access rights to resources according to the 
Challenge-Response principle 



(57) The present invention provides a device for 
authenticating user's access rights to resources, which 
comprises first memory means 1 1 1 for storing challeng- 
ing data 18, second memory means 115 for storing 
unique identifying information of the user 116, third 
memory means 113 for storing proof support informa- 
tion 13 which is a result of executing predetermined 
computations to the unique identifying information of the 
user 16 and unique security characteristic information, 
of the device 14, response generation means 116 for 
generating a response 19 from the challenging data 18 
stored in the first memory means 111, the unique iden- 
tifying information 16 stored in the second memory 
means 115 and the proof support information 13 stored 
in the third memory means 113, and verification means 
106 for verifying the legitimacy of the response 19 by 
verifying that the response 19, the challenging data 18 
and the unique security characteristic information of the 
device 14 satisfy a specific predefined relation. 
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Description 

The present invention relates to a device for 
authenticating user s access rights to resources. 

Program execution control technologies are known 
in the field to which the present invention belongs. The 
program execution control technologies are technolo- 
gies to: 

1 . Embed a routine for user authentication during 
the use of an application program; 

2. Have the routine examine whether the user 
attempting execution of the application possesses a 
key for proper authentication; and 

3. Continue the program only when the existence of 
the key for authentication is verified, otherwise to 
halt execution. 

By using these technologies, execution of the appli- 
cation program is enabled only for proper users having 
the authentication key. The technologies are commer- 
cialized in the software marketing field, two examples 
being SentinelSuperPro (trade mark) from Rainbow 
Technologies, Inc. and HASP (trade mark) from Aladdin 
Knowledge Systems, Ltd. 

In the use of program execution control technolo- 
gies, a user who executes software possesses an 
authentication key as user identification information. 
The authentication key is a key for encryption and is dis- 
tributed to the user by a party who allows use of soft- 
ware, a software vender, for example. The 
authentication key is securely sealed in a memory, or 
the like, of hardware to prevent duplication, and is deliv- 
ered to the user using physical means such as the 
postal service. The user mounts personal compu- 
ter/workstation using a designated method. When the 
user starts up the application program and when the 
execution of the program reaches the user authentica- 
tion routine, the program communicates with the hard- 
ware in which the authentication key of the user is 
embedded. Based on the results of the communication, 
the program identifies the authentication key. and 
moves the execution to the following step upon confir- 
mation of existence of the correct authentication key. If 
the communication fails and the verification of the exist- 
ence of the authentication key is not established, the 
program stops automatically, discontinuing the execu- 
tion of subsequent steps. 

Identification of the authentication key by the user 
authentication routine is executed according to the fol- 
lowing protocol, for example: 

1. The user authentication routine generates and 
transmits an appropriate number to the hardware in 

• which the key is embedded, 

2. The hardware in which the key is embedded 
encrypts the number using the embedded authenti- 
cation key and transmits it back to the authentica- 
tion routine. 



3. The authentication routine determines whether 
or not the number transmitted back is the number 
expected beforehand, or. in other words, the 
number obtained by encrypting the number with a 

s correct authentication key. 

4. If the number transmitted back coincides with the 
expected number, the execution of the program is 
continued, otherwise the execution is halted. 

5. In this case, communication between the appli- 
w cation program and the hardware in which the 

authentication key is embedded must be different 
for each execution even if it is between the same 
location in the same application with the same 
hardware. 

is Otherwise, a user who does not possess the cor- 
rect authentication key may be able to execute the 
program by recording once the content of communi- 
cation during the normal execution process, and by 
responding to the application program according to 

20 the recording each time the subsequent program is 
executed. Such improper execution of the applica- 
tion program by replaying the communication con- 
tent is called a replay attack. 

25 In order to prevent a replay attack, in general, a ran- 
dom number is generated and used for each communi- 
cation as the number to be transmitted to the hardware 
in which the key is embedded. 

The present invention has been made in view of the 

30 above circumstances and an aspect of the present 
invention is to provide a device for authenticating user's 
access rights to resources and its method which set 
both users and the protecting side such as application 
providers free from inconveniences caused by handling 

35 of large amount of unique information, for example, a lot 
of authentication keys, and thereby user's access rights 
are easily and simply authenticated when the execution 
control of the program, privacy protection of electronic 
mails, access control of files or computer resources and 

40 so forth are carried out. 

Additional aspects and advantages of the invention 
will be set forth in part in the description which follows 
and in part will be obvious from the description, or may 
be learned by practice of the invention. The aspects and 

45 advantages of the invention may be realized and 
attained by means of the instrumentalities and combina- 
tions particularly pointed out in the appended claims. It 
will be understood that each of the features described 
herein can be taken separately or jointly. To achieve the 

so aspects and in accordance with the purpose of the 
invention, as embodied and broadly described herein, 
one aspect of a device for authenticating user's access 
rights to resources of the present invention comprises 
first memory means for storing challenging data, sec- 

55 ond memory means for storing unique identifying infor- 
mation of the user, third memory means for storing 
proof support information which is a result of executing 
predetermined computations to the user unique identi- 
fying information and unique security characteristic 
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information of the device, response generation means 
for generating a response from the challenging data 
stored in the first memory means, the unique identifying 
information stored in the second memory means and 
the proof support information stored in the third memory 5 
means, and verification means for verifying the legiti- 
macy of the response by verifying that the response, the 
challenging data and the unique security characteristic 
information of the device satisfy a specific predefined 
relation. w 

With the above constitution, the unique security 
characteristic information of the device assigned to the 
protecting side and the unique identifying information of 
the user are made to be independent of each other. The 
information on actual access rights is represented as 15 
proof support information (i.e., an access ticket). The 
user has the user unique identifying information in 
advance, and on the other hand, a protector, such as a 
program creator prepares the unique security charac- 
teristic information, or the counterpart of the unique 20 
security characteristic information in terms of the public 
key cryptography, independent of the user unique iden- 
tifying information held by the user. An access ticket is 
generated based on the user unique identifying informa- 
tion and the unique security characteristic information 25 
used in creation of the application program or the like. 
Access tickets are distributed to the users, whereby 
authentication of the user's access rights to resources 
such as execution control can be performed. Thus com- 
plexity occurring in the case where both sides of user 30 
and protector use the same information for performing 
authentication can be avoided. 

Moreover, in the above constitution, at least the 
second memory means and the response generation 
means may be confined in the protect means which pre- 35 
vents any data inside from being observed or being 
tampered with from the outside. It may also be possible 
to implement at least the second memory means and 
the response generation means within a small portable 
device such as a smart card. 40 

The response generating means may comprise first 
calculation means and second calculation means, 
wherein the first calculation means executes predeter- 
mined calculations to the user unique identifying infor- 
mation stored in the second memory means and the 45 
proof support information stored in the third memory 
means to obtain the unique security characteristic infor- 
mation as a result, and the second calculation means 
executes predetermined calculations to the challenging 
data stored in the first memory means and the unique so 
security characteristic information calculated by the first 
calculation means to generate the response as a result 
of calculation. 

The above-described response generation means 
may comprise third calculation means, fourth calcula- 55 
tion means and-frfth calculation means. The third calcu- 
lation means executes predetermined calculations to 
the challenging data stored in the first memory means 
and the proof support information stored in the third 



memory means, the fourth calculation means executes 
predetermined calculations to the challenging data 
stored in the first memory means and the user unique 
identifying information stored in the second memory 
means, and the fifth calculation means executes prede- 
termined calculations to the results of calculation by the 
third and fourth calculation means, whereby the 
response is generated. In this case, at least the second 
memory means and the fourth calculation means can 
be confined within the protect means which prevents 
any data inside from being observed or being tampered 
with from the outside. At least the second memory 
means and the fourth calculation means may be imple- 
mented within a small portable device such as a smart 
card. 

The accompanying drawings, which are incorpo- 
rated in and constitute a part of this specification illus- 
trate embodiment of the invention and. together with the 
description, serve to explain the objects, advantages 
and principles of the invention. In the drawings: 

Fig. 1 is a block diagram showing an example of the 
fundamental constitution of the present invention; 
Fig. 2 is a block diagram showing an example of the 
constitution of the present invention in case that an 
entire device is implemented within a single PC; 
Fig. 3 is a block diagram showing the constitution of 
a first embodiment of a device for authenticating 
user's access rights to resources according to the 
present invention; 

Fig. 4 is a flow chart showing functions of means 
constituting the devices of the first embodiment; 
Fig. 5 is a block diagram showing the constitutions 
of a verification device and a proving device of a 
second embodiment of the device for authenticating . 
user's access rights to resources according to the 
present invention; 

Fig. 6 is a flow chart showing functions of means 
constituting the verification device of the second 
embodiment; 

Fig. 7 is a block diagram showing a constitutional 
example of execution means of the verification 
means of the second embodiment; 
Fig. 8 is a flow chart showing functions of the con- 
stitutional example of the execution means shown 
in Fig. 7; 

Fig. 9 is a block diagram showing a second consti- 
. tutional example of execution means of the verifica- 
tion means of the second embodiment; 
Fig. 10 is a flow chart showing functions of the con- 
stitutional example of the execution means shown 
in Fig. 9; 

Fig. 1 1 is a block diagram showing a third constitu- 
tional example of execution means of the verifica- 
tion means of the second embodiment; 
Fig. 12 is a flow chart showing functions of the con- 
stitutional example of the execution means shown 
in Fig. 1 1 ; 

Fig. 13 is a block diagram showing a fourth consti- 
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tutional example of execution means of the verifica- 
tion means of the second embodiment; 
Fig. 14 is a flow chart showing functions of the con- 
stitutional example of the execution means shown 
in Fig. 13; 

Fig. 15 is a block diagram showing the constitution 
of a proving device of a third embodiment of the 
device for authenticating user's access rights to 
resources according to the present invention; 
Fig. 16 is a flow chart showing functions of means 
constituting the proving device of the third embodi- 
ment; 

Fig. 1 7 is a block diagram showing a constitutional 
example of a fourth embodiment of the device for 
authenticating user's access rights to resources 
according to the present invention; 
Fig. 1 8 is a block diagram showing another consti- 
tutional example of the fourth embodiment; 
Fig. 1 9 is a flow chart showing functions of means 
of the constitutional example shown in Fig. 17; 
Fig. 20 is a block diagram showing the constitution 
of a fifth embodiment of the device for authenticat- 
ing user's access rights to resources according to 
the present invention; 

Fig. 21 is a flow chart showing functions of means 
constituting a verification device of the fifth embod- 
iment; 

Fig. 22 is a block diagram showing the constitution 
of a sixth embodiment of the device for authenticat- 
ing user s access rights to resources according to 
the present invention; 

Fig. 23 is a flow chart showing functions of means 
constituting devices of the sixth embodiment; 
Fig. 24 is a block diagram showing the constitution 
of a seventh embodiment of the device for authenti- 
cating user's access rights to resources according 
to the present invention; 

Fig. 25 is a flow chart showing functions of means 
constituting devices of the seventh embodiment; 
and 

Fig. 26 is a block diagram showing a part of consti- 
tution of a proving device of ninth and tenth embod- 
iments of the device for authenticating user's 
access rights to resources according to the present 
invention. 

At first, an example of the fundamental constitution 
of the present invention is described. The user authenti- 
cation system of the example can be applied to privacy 
protection of electronic mails or control of access to files 
or computer resources as well as control of execution of 
applications. 

In Fig. 1 , the user authentication system comprises 
a verification device 10 and a proving device 11: the 
proving device 1 1 receives an access ticket (proof sup- 
port data) from an access ticket generation device 12; 
the verification device 10 executes a verification routine 
15; the proving device 1 1 retains user identifying infor- 
mation 16 and the access ticket 13 and executes a 



response generation program 1 7. 

The access ticket generation device 1 2 is installed 
in the protector side, such as an application provider 
The access ticket generation device 12 generates the 

5 access ticket 13 based on unique security characteristic 
information of the device 14 and the user identifying 
information 16 and the access ticket 13 is forwarded to 
the user through communication or sending of a floppy- 
diskette or the like to be retained by the proving device 

w 11 of the user. Then the verification device 10 sends 
challenging data 18 to the proving device 1 1. The prov- 
ing device 1 1 generates a response 19 by utilizing the 
access ticket 13 and the user identifying information 16. 
and returns it to the verification device 1 0. The vertica- 
ls tion device 10 verifies the legitimacy of the response 
based on the challenging data, that is, the verification 
device 1 0 verifies that the response has been generated 
based on the challenging data and the unique security 
characteristic information of the device. 

20 If the legitimacy of the response is verified, the 
access rights of the user is authenticated; accordingly, 
continuation of execution of a program, access to files, 
and so forth, are permitted. 

With the above constitution, an example of execu- 

25 tion control of an application program is now described. 
In the above constitution, a user of an application 
program retains only one piece of user identifying infor- 
mation 1 6. The user identifying information is equivalent 
to a password in the password authentication and is 

30 unique, significant information which identifies the user. 
If it is possible for the user to copy and distribute the 
user identifying information 16, it will lead to the use of 
the application program by the user without legitimate 
access rights; therefore, the user identifying information 

35 16 is protected by protection means 160 so that even 
the user who is a legitimate owner of the user identifying 
information 16 cannot steal it. The protection means 
160 may be a hardware with a protecting effect (herein- 
after referred to as tamper-resistant hardware) against 

40 theft of the inside conditions by external probes. A 
method of implementation of the tamper-resistant hard- 
ware will be described later. 

In addition to the user identifying information 16, the 
response generation program 17 which executes prede- 

45 termined computations is provided to the user. The pro- 
gram 17 performs communication with a user 
authentication routine (verification routine 15): on 
receiving two parameters, namely, the user identifying 
information 16 and the access ticket 13, the program 1 7 

so executes computations to arbitrary inputted values to 
generate the response 19 for identifying the user. The 
user identifying information 16 is used in the course of 
the computation, and it is required to protect at Jeast a 
part of the program 17 by the protection means 160 

55 since leakage of the user identifying information 16 to 
the outside will cause a problem by the above-described 
reason. 

Hereinafter, memory means for storing the user 
identifying information and a part of the program which 
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are protected by the protection means 160, device for 
executing the part of the program (for example, consist- 
ing of a memory and a MPU) and the protection means 
1 60 are integrally referred to as token (shown by the ref- 
erence numeral 20 in Fig. 1). The token may have port- 5 
ability, like a smart card. 

Similar to the conventional execution control tech- 
nologies, the verification routine 15 is set to the applica- 
tion program. The verification routine 1 5 is same as that 
of the conventional technologies in that it communicates 10 
with the response generation program 1 7 retained by 
the user, and continues execution of the program if and 
only if a returned result (response 18) is correct. There- 
fore, it is necessary that the program creator knows the 
method of computing the combination of transferred 15 
data (challenging data 18) and correct returned data 
corresponding thereto (response 19). 

Some examples of functions of the verification rou- 
tine 1 5 are explained as follows: 

20 

1. Data to be transferred (challenging data 18) and 
expected returned data (expected value) are 
embedded in the verification routine 15. The verifi- 
cation routine 15 fetches the data to be transferred 
and transfers it to the user, and receives the 25 
returned data from the user. Then the verification 
routine 15 compares the returned data from the 
user with the expected value: if they are identical 
with each other, the verification routine 15 executes 

the next step of the program; if they are not identi- 30 
cal. the verification routine 1 5 halts the execution of 
the program. 

In the case where the returned data is 
assumed to be a result of encryption of the trans- 
ferred data in accordance with a predetermined 35 
encryption algorithm, the unique security character- 
istic information of the device is an encryption key. 

2. Data to be transferred (challenging data 18) and 
data generated by applying a one-way function to 
expected returned data (expected value) are 40 
embedded in the verification routine 15. The verifi- 
cation routine 15 fetches the data to be transferred 
and transfers it to the user, and receives the 
returned data from the user. Then the verification 
routine 15 compares data generated by applying 4s 
the one-way function to the returned data from the 
user with the expected value: if they are identical 
with each other, the verification routine 15 executes 

the next step of the program; if they are not identi- 
cal, the verification routine 1 5 halts the execution of so 
the program. 

In the case where the returned data is 
assumed to be a result of encryption of the trans- 
ferred data in accordance with a predetermined 
encryption algorithm, the unique security character- 55 
istic information of the device is an encryption key. 

3. Protection is provided by encrypting a part of 
code of the application program in accordance with 
a predetermined encryption algorithm so that exe- 



cution of the program may be impossible. The veri- 
fication routine 15 transfers the encrypted code to 
the user and receives returned data from the user, 
and then replace the received value with the 
encrypted code. 

With this constitution, execution of the program 
may be possible if and only if the returned data is a 
correct decryption of the encrypted code. In this 
case, the unique security characteristic information 
is a decryption key for decrypting the encrypted 
code. 

4. Protection is provided by encrypting a part of 
code of the application program in accordance with 
a predetermined encryption algorithm so that exe- 
cution of the program may be impossible. Moreover, 
data generated by encrypting a decryption key 
paired with the encryption key used for encrypting 
the code is embedded as transferred data in the 
verification routine 15. The verification routine 15 
transfers the encrypted decryption key to the user 
and receives returned data from the user, and then 
decrypts the encrypted code with the value of the 
received data as a decryption key. 

With this constitution, the encrypted code is 
correctly decrypted if and only if the returned data is 
a decryption key which has been correctly 
decrypted, and accordingly execution of the pro- 
gram becomes possible. In this case, the unique 
security characteristic information of the device is a 
decryption key for decrypting the encrypted decryp- 
tion key. 

In the conventional execution control technolo- 
gies, the user identifying information (authentica- 
tion key of the user) is identical with the unique 
security characteristic information of the device... 
The conventional response generation routine 
receives the unique security characteristic informa- 
tion and the data transferred from the verification 
routine as the input, and then executes computa- 
tions thereto for generating data to be returned. 

By contrast, the present invention is characterized 
in that the user identifying information 16 and the unique 
security characteristic information of the device 14 are 
independent of each other. In this constitutional exam- 
ple, the response generation program 17 adds the 
access ticket 13 to the user identifying information 16 
and the data transferred from the verification routine 15 
(challenging data 18) as the input, and then executes 
predetermined computations to them for generating the 
data to be returned (response 19). The constitution has 
the following properties: 

1 . The access ticket 1 3 is the data calculated based 
on the specific user identifying information 16 and 
the unique security characteristic information of the 
device. 

2. At least from the viewpoint of the computation 
amount, it is impossible to calculate the unique 
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security characteristic information from the access 
ticket 13 without knowing the user identifying infor- 
mation 1 6. 

3. The response generation program 17 executes 
computations for generating correct data to be 
returned if and only if a correct combination of the 
user identifying information 16 and the access 
ticket 13. Note that the access ticket 13 has been 
calculated based on the user identifying information 
16. 

With the constitution described so far, the execution 
control can be carried out by the following steps: the 
user has the user identifying information 16 in advance; 
the program creator prepares the application program 
independent of the user identifying information 16 
retained by the user; and the program creator generates 
the access ticket 13 based on the user identifying infor- 
mation 16 and the unique security characteristic infor- 
mation of the device 16 used in creating the application 
program and distributes the access ticket 1 3 to the user. 

It may be possible to constitute the user identifying 
information 16 by two pieces of user identifying informa- 
tion for distinguishing the information used for preparing 
the access ticket 13 from the information used in a com- 
munication program by the user. In the most represent- 
ative example, the user identifying information 16 is 
made to be a public key pair: the public key is published 
to be used for generating the access ticket; and the indi- 
vidual key is confined within the token 20 as user's indi- 
vidual secret information. In this case, it is possible to 
calculate the access ticket 13 while the user identifying 
information 16 is kept secret by calculating the aocess 
ticket 13 from the unique security characteristic informa- 
tion 1 4 and the public key of the public key pair. 

First Embodiment 

In a first embodiment, an access ticket t is defined 
as the relation (1). 

t = D - e + to <J> (n) (1) 

In the following bulleted paragraphs, symbols used 
in the above relation are described. 

An integer n is an RSA modulus, hence, a product 
of two very large prime numbers p and q (n = pq ). 
<t> (n) denotes the Euler number of n, hence, a prod- 
uct of two integers p-1 and q-1 (4>(n) = (p-1)(q-1) ). 
A piece of user identifying information e is an inte- 
ger allocated to each user. A piece of user identify- 
ing information is unique to a user: a different user 
identifying information is allocated to a different 
user. 

An access-ticket secret key D is a private key of an 
RSA public key pair. Since the modulus is assumed 
to be n, the relation 2 is derived from the definition. 



gcd (D, <>(n)) = l ( 2 ) 

in the above, gcd (x. y) denotes the greatest com- 
mon divisor of two integers x and y. The existence 
5 of an integer E satisfying the relation (3). which is 

called an access-ticket public key. is derived from 
the relation (2). 

ED mod <|>(n) = 1 (3) 

10 

to is an integer dependent upon both n and e. It is 
required that a probably different value will be allo- 
cated to to if at least one of n and e is different. In 
defining to in a consistent manner, a one-way hash 
is function h may be used. 

co = h (n | e) (4) 

In the relation (4), n | e denotes the concatenation 

20 of the two bit-string representations of n and e. A one 
way hash function h is a function having the property 
that it is extremely difficult to calculate two distinct x and 
y satisfying h(x) = h(y) . Known examples of one-way 
hash functions are the MD2, MD4 and MD5 of RSA 

25 Data Securities Inc., and the standard SHS (Secure 
Hash Standard) of the U.S. federal government 

Among the above numbers, t, E and n can be open 
to public without any risk, while the rest of the numbers, 
namely D, e, to, p. q and <(> (n), are to be kept secret to 

30 everybody but those who are allowed to generate an 
access ticket. Fig. 3 depicts the constitution of the first 
embodiment. A verification device 10 comprises the fol- 
lowings: an access ticket public key storing means 101 ; 
a random number generation means 102; a random 

35 number storing means 103; a response storing means 
105; a verification means 106; an execution means 107; 
and an error trapping means 108. On the other hand, a 
proving device 1 1 comprises the followings: a challeng- 
ing data storing means 1 1 1 ; a first calculation means 

40 1 12; an access ticket storing means 1 13; a second cal- 
culation means 114; a user identifying information stor- 
ing means 115; and a response generation means 1 1 6. 

By the following numbered paragraphs, the function 
of the means constituting the devices will be described. 

45 

1. The verification device 10 is invoked by a user. 
The way to invoke the device varies depending 
upon how the device is implemented. A few exam- 
ples are now shown. First, the verification device 10 

so may be implemented as a part of an application 
program to be installed and executed on a user's 
PC or workstation. In this case, the user may invoke 
the verification device 10 by invoking the application 
program in ordinary ways. For example, the user 

55 may click the iconic symbol representing the appli- 
cation program on the computer screen with a 
pointing device such as a mouse, or may use a key- 
board. The verification device 10 may be imple- 
mented as a program installed and executed on a 
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server computer that is connected to a user's PC or 
workstation by means of computer network. In this 
case, in order to invoke the verification device 10, a 
user first invokes a communication program 
installed on his/her own PC or workstation: the 
communication program establishes a connection 
to the server, and asks the server to invoke the ver- 
ification device 10. When the communication pro- 
gram and the server follow the TCP/IP protocols, for 
instance, the verification device 1 0 is allocated to a 
predefined port number on the server computer. 
When the communication program issues a 
requirement for establishing a connection to the 
port, inetd, a demon program running on the server 
computer, receives the requirement. After checking 
which program is allocated to the specified port, it 
finally invokes the verification device 10, and estab- 
lishes a connection between the verification device 
and the communication program. This way of imple- 
mentation is very common in networked computer 
systems like Internet. The verification device 10 
may be implemented as a program written on a 
ROM or EEPROM within a smart card reader- 
writer. In this case, the proving device 1 1 is a pro- 
gram installed on an IC chip of a smart card; the 
verification device 10 is invoked whenever a user 
inserts his/her smart card into the smart card 
reader-writer. 

2. The verification device 10 sends challenging 
data C and a modulus n to the challenging data 
storing means 1 1 1 of the proving device 1 1 . The 
modulus n is stored in the access-ticket public key 
storing means 101 . On the other hand, challenging 
data C is generated as follows: the random number 
generation means 102 generates a random integer 
r so that r and the modulus n are relatively prime 
(gcd(r, n) = 1 ); the generated random integer r is 
stored in the random number storing means 103: 
finally, the random number generation means 102 
sets the value of C to r. As stated later in more 
detail, the response which the proving device 1 1 is 
to respond to the verification device 10 is RSA- 
encryption of r with D as the key and n as the mod- 
ulus. Since the value of C is identical to the random 
integer r, it varies with occurrence of communica- 
tion between the verification device 10 and the 
proving device 11. This prevents so-called replay 
attack from succeeding. 

3. The first calculation means 112 of the proving 
device 11 calculates an intermediate result R* 
according to the relation (5). An access ticket t to be 
used is stored in the access ticket storing means 
113. 

R* = C 1 mod n (5) 

4. The second calculation means 1 1 4 of the proving 
device 1 1 calculates a differential S according to 
the relation (6). A user identifying information e to 



be used is stored in the user identifying information 
storing means 115. 

S = C e mod n (6) 

5 

5. Receiving R' and S from the first calculation 
means 1 12 and the second calculation means 114, 
the response generation means 116 of the proving 
device 1 1 calculates a response R according to the 

io relation (7). 

R = R S mod n (7) 

6. The proving device 11 returns the generated 
is response R to the response storing means 105 of 

the verification device 10. 

7. The verification means 106 of the verification 
device 10 first performs the calculation (8). Both the 
exponent E and the modulus n are stored in the 

20 access ticket public key storing means 101. and the 
response R is stored in the response storing means 
105. 

R E mod n (8) 

25 

Finally, the verification means 106 examines 
the relation (9). 

30 C mod n = R E mod n (9) 

If the relation (9) holds, the verification means 
invokes the execution means 107. The execution 
means 107 provides a user with utilities that he/she 
35 wanted to access to. Otherwise, it invokes the error, 
trapping means 108. The error trapping means 108 
may deny user access by terminating the execu- 
tion. 

40 Second Embodiment 

A second embodiment to be described is the same 
as the first embodiment regarding the definition of an 
access ticket t and the function of the proving device. 

45 However, the verification device works differently. The 
difference in the roles between challenging data C and 
a response R causes the difference in the function 
between the two embodiments: in the first embodiment, 
a response R is encryption of a random challenging 

so data C; in the second embodiment, a response R will be 
decryption of challenging data C which is encryption of 
some other meaningful data. 

Fig. 5 depicts the constitution of devices of the sec- 
ond embodiment, and Fig. 6 depicts flow of data. A ver- 

55 ification device 10 comprises the following means: an 
access ticket public key storing means 101; a random 
number generation means 102; a random number stor- 
ing means 103; a response storing means 105; a rand- 
omizing means 121; a challenge seed storing means 
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122; a de-randomizing means 123; and an execution 
means 310. A proving device 11 comprises the follow- 
ing means: a challenging data storing means 1 1 1 : a first 
calculation means 102; an access ticket storing means 
1 1 3; a second calculation means 1 14; a user identifying 5 
information storing means 1 15; and a response genera- 
tion means 116. 

By the following numbered paragraphs, the function 
of the means constituting the devices will be described 
step by step. w 

1 . The verification device 10 is invoked by a user. 

2. The verification device 10 sends challenging 
data C and a modulus n to the challenging data 
storing means 1 11 of the proving device 1 1 . The is 
modulus n is stored in the access ticket public key 
storing means 101. On the other hand, challenging 
data C is generated by carrying out the following 
steps: the random number generating means 102 
generates a random integer r so that r and the mod- 20 
ulus n are relatively prime (gcd (r, n) = 1 ); the ran- 
dom integer r is stored in the random number 
storing means 103; the randomizing means 121 
generates challenging data C according to the rela- 
tion (10). 25 

C = r E C'modn (10) 



The integer C* is stored in the challenge seed 30 
storing means 122, and satisfies the relation (11) 
for some data K. 

C = K E mod n (11) 

35 

The exponent E (access ticket public key) and 
the modulus n are both stored in the access ticket 
public key storing means 101. 

The verification device 10 retains encryption C 
of K instead of K itself. In fact. C is RSA encryption 40 
of K with a public key E and a modulus n. This has 
an advantage in the viewpoint of security: the data 
K crucial for authentication procedures never leaks 
from the verification device 10. The randomness of 
r also plays an important role: if r were identical to 45 
some secret constant, the challenging data C would 
be encryption of the data K up to a constant coeff i- 
ci.ent. and therefore the response which the proving 
device 1 1 generates would be K up to a constant 
coefficient; thus, constant r would allow replay so 
attacks since communication between the verifica- 
tion device 10 and the proving device 1 1 would be 
always identical. In this embodiment, by generating 
challenging data C so that it is dependent on a ran- 
dom number r (see the relation (10)), communica- 55 
tion between the verification device 10 and the 
proving device 1 1 occurs with variation, and there- 
fore attempts of replay attacks become hopeless. 
3. The first calculation means 112 of the proving 



device 11 calculates an intermediate result R* 
according to the relation (12). 

FT = C 1 mod n (12) 



In course of calculation, the means uses the 
access ticket t stored in the access ticket storing 
means 113. 

4. The second calculation means 1 1 4 of the proving 
device 1 1 calculates a differential S according to 
the relation (13). 

S = C e mod n (13) 

In course of calculation, the means uses the 
user identifying information e stored in the user 
identifying information storing means 115. 

5. Receiving the intermediate result R* and the dif- 
ferential S from the first calculation means 1 12 and 
the second calculation means 114, the response 
generation means 116 of the proving device calcu- 
lates a response R according to the relation (14). 

R = R*Smodn (14) 

6. The proving device 11 returns the generated 
response R to the response storing means 307 of 
the verification device 10. 

7. The de-randomizing means 123 of the verifica- 
tion device 1 0 calculates K' according to the relation 
(15). 

K* = r 1 R mod n (15) 



In course of calculation, the means uses the 
random number r stored in the random number 
storing means 103 and the response R stored in 
the response storing means 105. Note that the val- 
ues K' and K are identical with each other, if and 
only if the proving device 11 calculated the 
response R based on a right pair of an access ticket 
t and a user identifying information e. 

Finally, the de-randomizing means 123 sends 
K' to the execution means 310, and the execution 
means 310 executes predefined procedures using 
this given K\ The execution means 310 is designed 
so that it works properly only when K' is identical 
with K; otherwise it fails to work. 

The following paragraphs describes several exam- 
; of implementation of the execution means 310. 

1. Fig. 7 depicts a first example. A memory means 
310 a of the execution means 310 retains the data 
K. Receiving K' from the de-randomizing means 
123. a comparison means 310b directly examines 
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the equality K = K' . If the equality does not hold, 
the execution means 310 suspends its performance 
immediately. Otherwise, the execution means 310 
continues its performance and provides users with 
utilities. This example includes the disadvantage 5 
caused from the fact that the data K critical for 
authentication procedures appears as it is in the 
device: when a computer program to be installed 
and executed on a user's PC or workstation is 
implemented on the execution means 310, it is not ? o 
impossible for a user to find out the value K by ana- 
lyzing the code of the application program. The 
value K is crucial, because, if once the user knows 
the value of K, and further if he/she can predict ran- 
dom number sequences to be generated by the 75 
random number generation means 102, he/she can 
construct a device simulating the proving device 10 
without any of an access ticket and a user identify- 
ing information e. In other words, anybody could 
pass the authentication check by the verification 20 
device 10 with this simulator, whether he/she is 
authorized or not. 

2. Fig. 9 depicts a second example. In this example, 
a memory means 310a retains h(K). instead of K, 
which is a value obtained by applying a one-way 25 
hash function h to K. A significant property of one- 
way hash functions is that it is computationally 
impossible to calculate x satisfying y = h(x) given y. 
Receiving K* from a de-randomizing means 123, a 
hashing means 310c calculates h(K') which is the 30 
result of applying the one-way hash function h to K\ 

Then, the comparison means 310b examines 
the identity of this h(K') and the value stored in the 
memory means 310a (= h(K)). Compared with the 
first example, this example is safer since there is no 35 
effective means to find out the critical data K: even 
though a user succeeded in analyzing the code of 
the program constituting the execution means 310, 
he/she couldn't find out any more than the value of 
h(K); due to the property of one-way hash tunc- 40 
tions. it is computationally impossible to calculate K 
given h(K). However, when the execution means 
310 is implemented as a computer program, the 
comparison means 310b may be represented as an 
if-clause. If the verification device is further 45 
assumed to be executed on a user s PC or worksta- 
tion, a user may have a chance to modify the code 
so that the if-clause shall be always skipped. 

Therefore, the implementation of the this exam- 
ple is not safe enough, in particular, if the execution so 
means 31 0 is implemented as a computer program 
to be executed on a user's PC or workstation. 
3. Fig. 1 1 depicts a third example. This time, protec- 
tion is applied such that execution of the program of 
the execution means 310 becomes impossible by ss 
encrypting a portion or the whole of the code of the 
program. The encrypted code is stored in the chal- 
lenge seed storing means 122 as a seed C for 
challenging data C. More precisely, the crucial data 



K is program code to be encrypted, and C* is RSA 
encryption of the code K with a public key E and a 
modulus n (C = KE mod n ). Both E and n are the 
values stored in the access ticket public key storing 
means 101. The execution means 310 includes a 
code storing means 31 Od. a code loading means 
31 Oe and a code execution means 31 Of. The code 
loading means 31 Oe feeds K\ which the code stor- 
ing means 3l0d received from the de-randomizing 
means 123, to the code execution means 31 Of. 
Only when K' is identical with K, the code fed to the 
code execution means 31 Of is meaningful as a part 
of the program of the execution means 310. In the 
following, a more detailed description of the compo- 
sition is provided. Consider the case where the exe- 
cution means 310 is implemented as a computer 
program executed on a user's PC or workstation. 
The code storing means 310d is a specified region 
within a memory of a user's PC. 

The code execution means 31 Of comprises the 
CPU and OS of the PC. The CPU and OS, cooper- 
ating with each other, fetch instructions form a cer- 
tain predefined region within the memory space 
(called program region), and executes those 
instructions one by one. Generally speaking, a 
meaningful chunk of instructions is called a pro- 
gram, and a program is located within the program 
region. The entity of the code loading means 31 Oe 
is a part of the program constituting the execution 
means 310. and it is to be executed at first when the 
execution means 310 is invoked. When invoked, the 
code loading means 31 Oe orders the code execu- 
tion means 31 Of to copy the content stored in the 
code storing means 310d onto a specified area 
within the program region, and then orders the code 
execution means 31 Of to execute the copied 
sequence of instructions by issuing a JMP com- 
mand, for example. 

Thus, since a part or the whole of the code of : 
the program of the execution means 310 is 
encrypted, and further since it is decrypted tempo- 
rarily only when the verification device 10 and the 
proving device 1 1 cooperate with each other prop- 
erly, the execution means 310 is much safer than in 
the cases of the preceding two examples: even 
though a user succeeded in analyzing the program, 
he/she couldn't obtain the missing code K at all: 
modifying the code of the program without the 
knowledge about K is definitely no use. 
4. Fig. 13 depicts a fourth example. This example is 
substantially the same as the third example except 
that K is the encryption key used in encrypting code 
of the program constituting the execution means 
310. while K is the code itself in the previous exam- 
ple. Since the code to be encrypted may be of large 
size, according to the composition of the third 
example, the size of K (namely, that of C* and C) 
may be large enough to make the performance of 
the verification device 10 and the proving device 1 1 
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worse. In contrast, according to the composition of 
the fourth example, the size of K (namely, that of C) 
remains unchanged irrespective of the size of the 
program code to be encrypted: the size of K is 
determined by the cipher algorithm to be used; if 5 
DES (Data Encryption Standard) is used, K is 
always 64 (56) bits long even when the size of the 
code to be encrypted is measured by Mbyte. 

The execution means 310 comprises an 
encrypted code storing means 31 Og. a decryption w 
means 310h. a code loading means 3101, and code 
execution means 31 Of. Receiving the data K from 
the de-randomizing means 123, the decryption 
means 310h decrypts the content stored in the 
encrypted code storing means 3 1 0g. In the process is 
of decryption, K is used as a decryption key. The 
code loading means 3101 loads the output of the 
decryption means 31 Oh, which is decrypted code if 
K* is identical with K, onto a specified area within 
the program region, and then orders the execution 20 
means 31 Of to execute the loaded code. 



Third Embodiment 

In a third embodiment, the definition of an access 25 
ticket is given as the relation (16). 

t = D+F(n, e) (16) 

The following bulleted paragraphs illustrate the 30 
symbols appearing in the relation (16). 

An integer n is an RSA modulus, hence, a product 
of two very large prime numbers p and q (n = pq ). 
<t> (n) denotes the Euler number of n, hence, a prod- 35 
uct of two integers p-1 and q-1 (4> (n) = (p-1)(q-1) ). 
A user identifying information e is an integer allo- 
cated to each user. The user identifying information 
e is unique to each user: 

A different user identifying information is allocated 
to a different user. 

An access-ticket secret key D is the private key of 
an RSA public key pair. Since the assumed modu- 
lus is n, D satisfies the relation (17). 

gcd(D. <|> (n)) = 1 (17) 

In the above, gcd(x, y) denotes the greatest com- 
mon divisor of two integers x and y. The existence 
of an integer E satisfying the relation (18). which is so 
called an access-ticket public key. is derived form 
the relation 1 7. 

ED mod <J)(n) = 1 (18) 

ss 

A two variable function F(x, y) is an arbitrary colli- 
sion-free function. Practically, a collision-free func- 
tion may be constructed using a one-way hash 
function h as the relation (19). 
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F(x, y) = h(x I y) (19) 

Figs. 15 and 16 are for depicting this embodiment: 
Fig. 15 depicts the constitution of the devices of this 
embodiment; Fig. 16 depicts flow of data. 

In Fig. 15. a proving device 11 comprises a chal- 
lenging data storing means 111, a first calculation 
means 1 12, an access ticket storing means 1 13, a sec- 
ond calculation means 114, a user identifying informa- 
tion storing means 115. a response generation means 
1 16, and an exponent generation means 130. A verifica- 
tion device 10 in this embodiment may be identical with 
that in any of the first embodiment (shown in Fig. 3) or 
the second embodiment (shown in Fig. 5). 

By the following numbered paragraphs, the function 
of the means constituting the devices will be described 
step by step. 

1 . The verification device 10 is invoked by a user. 

2. The verification device 10 sends challenging 
data C and a modulus n to the challenging data 
storing means 111 of the proving device 11. The 
modulus n is stored in the access ticket public key 
storing means 101, and the challenging data C is 
generated in one of the manners defined in the first 
embodiment or the second embodiment: C is iden- 
tical with either r E mod n or r E C mod n. 

3. The first calculation means 112 of the proving 
device 11 calculates an intermediate result R' 
according to the relation (20). An access ticket t to 
be used is stored in the access ticket storing means 
113. 

R'= C* mod n (20) 

4. The exponent generation means 130 calculates 
F(n. e) by applying the collision-free function F to 
the modulus n, stored in the challenging data stor- 
ing means 111 . and the user identifying information 
e, stored in the user identifying information storing 
means 1 1 5. 

F(n, e) (21) 

5. Receiving the result from the exponent genera- 
tion means 130. the second calculation means 1 14 
of the proving device 1 1 calculates a differential S 
according to the relation (22). 

S = C F{ne) modn (22) 

6. Receiving R' and S from the first calculation 
means 1 12 and the second calculation means 1 14, 
the response generation means 1 16 of the proving 
device calculates a response R according to the 
relation (23). 

R = RS" 1 modn (23) 
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In the relation (23). S' 1 denotes the reciprocal 
of S under the modulus n Hence. S and S* 1 satisfy 
the relation (24). 

5 

SS " 1 mod n = 1 (24) 

7. The proving device 11 returns the generated 
response R to the response storing means 105 of 
the verification device 10. w 

8. The verification device 10 examines the 
response received from the proving device 1 1 . 

Fourth Embodiment 

75 

In a fourth embodiment, a proving device 1 1 com- 
prises a computer program executed on a user's PC or 
workstation, a smart card or PC card (PCMCIA card) 
attachable to the user's PC or workstation, and a pro- 
gram executed on this smart card or PC card. so 

As is obvious from the explanation of the former 
three embodiments, a user identifying information e, 
stored in a user identifying information storing means 
115, must be kept secret to others. Furthermore, 
observing process of execution of a second calculation 25 
means 114. which needs e as an input to itself, may 
lead to leak of e. The same situation applies to an expo- 
nent generation means 130. Consequently, in practical 
use, the user identifying information storing means 115, 
the second calculation means 114 and the exponent 30 
generation means 130 should be protected by some 
means against attempts to pry out some crucial secret 
out of them. 

One solution is confining the crucial part of the 
proving device 1 1 within hardware equipped with func- 35 
tion to prevent its inside from being observed or tam- 
pered with by unauthorized means. Generally, such 
hardware is called tamper-resistant hardware. 

In creating the tamper-resistant hardware, it is pos- 
sible to use the technology disclosed in Patent Number 40 
1 ,863.953, Patent Number 1 ,860,463 or Japanese Laid- 
Open Patent Publication 3-100753, for example. In Pat- 
ent Number 1,863.953, an enclosure composed of a 
plurality of cards having multi-layered conductive pat- 
terns is provided surrounding an information memory 45 
medium. Memory information is destroyed when the 
conductive pattern which is detected differs from an 
expected pattern. 

In Patent Number 1.860.463. a detection circuit 
composed of an integration circuit or the like is provided so 
surrounding an information memory medium in addition 
to a conductive winding being formed, and through this, 
when there is infiltration to the electronic circuit region, 
fluctuations in electromagnetic energy are detected and 
memory information is destroyed. 55 

In Japanese Laid-Open Patent Publication 3- 
1 00753. an optical detector is provided within hardware, 
and the optical detector detects external light which 
enters when a force is applied which destroys the hard- 



ware or punctures the hardware, and a memory 
destruction device resets memory information. 

Further, choosing tamper-resistant hardware with 
portability such as a smart card or PC card may provide 
users with additional merits. Among information dealt 
with by a proving device 1 1 . only an access ticket and a 
user identifying information are unique to an individual 
user. Hence, for example, it may be useful to confine a 
user identifying information storing means 115, access 
ticket storing means 113. a second calculation means 
1 14 and exponent generation means 130 within a smart 
card or PC card, and implement the rest of the proving 
device 10 as a program to be executed on an arbitrary 
PC or workstation: a user can use an arbitrary PC or 
workstation, assuming that the program is installed on 
it, as his/her proving device only by inserting his/her 
own smart card or PC card into the computer. 

Fig. 1 7 depicts constitution of a proving device 1 1 of 
the first and second embodiments when a user identify- 
ing information storing means 115 and a second calcu- 
lation means 1 14 are confined within a smart card. 

Fig. 18 depicts constitution of a proving device 1 1 of 
the third embodiment when a exponent generation 
means 130 in addition to a user identifying information 
storing means 1 14 and a second calculation means 114 
is confined within a smart card. 

Forboth Figs. 17and 18. a card-side l/F means 141 
within a smart card is an interface to a host computer for 
communication between a host computer and the smart 
card. More practically, the card-side l/F means 141 
comprises buffer memory and a communication pro- 
gram. 

A host-side l/F means 140, which is a part of a host 
computer, is the counter part of the card-side l/F means 
141. Both l/F means, cooperating with each other, 
transfer messages from the host computer to the smart 
card, and vice versa. 

The following numbered paragraphs describe the 
function of the means constituting the devices. 

1. The verification device 10 is invoked by a user. 

2. The verification device 10 sends challenging 
data C and a modulus n stored in the access ticket 
public key storing means 101 to the challenging 
data storing means 1 11 of the proving device 1 1 . 

3. The host-side l/F means 140 of the proving 
device 10 sends the challenging data C and the 
modulus n to the card-side l/F means 1 41 within the 
smart card. 

4. The access ticket searching means 142 retrieves 
an access ticket t corresponding to the modulus n 
that is stored in the challenging data storing means 
111. As shown before, in any of the former three 
embodiments, the definition of an access ticket t 
involves a modulus n (t = D - e +o> $ (n) or 
t = 0 + F(n. e) ). In the access ticket storing means 
113. zero or more access ticket are stored, and 
each access ticket is indexed with the modulus that 
was used in generating the access ticket. 
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5. The first calculation means 112 of the proving 
device 11 calculates an intermediate result R' 
according to the relation (25). 

An access ticket t is stored in the access ticket stor- 
ing means 113. 5 

R' = C 1 mod n (25) 

6. The host-side l/F means 140 issues a require- 
ment for a differential S to the card-side !/F means w 
141 . A response which the host-side l/F means 140 
receives is a differential S of one of the following 
forms: rf the access ticket t and the means within 
the smart card were implemented in the manner of 
the first and second embodiments, the differential S is 
satisfies the relation (26); if the access ticket t and 
the means within the smart card were implemented 

in the manner of the third embodiment, the differen- 
tial S satisfies the relation (27). 

20 

S = C e mod n (26) 
S = C F(ne) modn (27) 

7. The response generation means 1 16 of the prov- 25 
ing device 1 1 calculates a response R according to 
either the relation (28) or (29): if the access ticket t 
and the means within the smart card were imple- 
mented in the manner of the first and second 
embodiments, the relation (28) shall be applied; if 30 
the access ticket t and the means within the smart 
card were implemented in the manner of the third 
embodiment, the relation (29) shall be applied. 

R = R'S mod n (28) 35 

R = R'S" 1 mod n (29) 

8. The proving device 11 returns the generated , 
response R to the response storing means 307 of 40 
the verification device 10. 



In this embodiment, it is possible to calculate the 
intermediate result R* and the differential S concurrently, 
because the former is calculated within the host compu- 45 
ter and the latter is within the smart card. Obviously, this 
concurrent calculation reduces the total time which the 
proving device 1 1 needs for calculating a response to a 
received challenging data. 

Further, in this embodiment, the access ticket stor- so 
ing means 113 may retain more than one access tick- 
ets, and the access ticket searching means 142 
retrieves an appropriate access ticket using a modulus 
issued by the verification device 1 0 as a key for retrieval. 
Basically, different verification device, which may be ss 
embedded within a different application program or 
server program, should assume a different modulus. 
Therefore, a user who want to access to more than one 
application programs or server programs is obliged to 



have a number of access tickets. 

The stated function of the access ticket searching 
means 142 would release a user from paraphernalia of 
selecting a correct access ticket by himself. 

Fifth Embodiment 

In a fifth embodiment, the Pohlig-Hellman asym- 
metric key cryptography is used instead of the RSA 
public key cryptography. 

In this embodiment, the definition of an access 
ticket t is given as the relation (30). 

t = D + F(p, e) (30) 

The following bulleted paragraphs illustrate the 
symbols appearing in the relation (30). 

An integer p is a very large prime number. 
A user identifying information e is an integer allo- 
cated to each user. The user identifying information 
e is unique to an individual user: a different user 
identifying information is allocated to a different 
user. 

An access ticket secret key D is one component of 
a Pohlig-Hellman asymmetric key pair. Since the 
assumed modulus is p. D satisfies the relation (31). 

gcd(D, p-1) = 1 (31) 

In the above. gcd(x, y) denotes the greatest com- 
mon divisor of two integers x and y. The existence of an 
integer E satisfying the relation (32), which is called an 
access-ticket public key. is derived from the relation 
(31). 

ED mod p-1 = 1 (32) 

A two variable function F(x, y) is an arbitrary colli- 
sion-free function. Practically, a collision-free func- 
tion may be constructed using a one-way hash 
function h as the relation (33). 

F(x. y) = h(x I y) (33) 

Figs. 20 and 21 are for depicting this embodiment: 
Fig. 20 depicts the constitution of the devices of this 
embodiment; Fig. 21 depicts flow of data. In Fig. 20. a 
proving device 41 comprises the following means: a 
challenging data storing means 411; a first calculation 
means 412; an access ticket storing means 413; a sec- 
ond calculation means 414; a user identifying informa- 
tion storing means 415; a response generation means 
416; and an exponent generation means 430. On the 
other hand, a verification device 40 comprises the fol- 
lowing means: a key storing means 401; a random 
number generation means 402; a random number stor- 
ing means 403; a response storing means 405; a rand- 
omizing means 421 ; a challenging seed storing means 
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422: a de-randomizing means 423; and an execution 
means 310. 

By the following numbered paragraphs, the function 
of the means constituting the devices will be described 
step by step. s 

1 . The verification device 40 is invoked by a user. 

2. The verification device 40 sends challenging 
data C and a modulus p to the challenging data 
storing means 411 of the proving device 41. The w 
modulus p is stored in the key storing means 401. 

In this embodiment the challenging data C is 
assumed to be generated in a manner similar to 
that in the second embodiment. However, it is easy 
to construct another embodiment such that chal- is 
lenging data C is generated in a manner similar to 
that in the first embodiment. The challenging data C 
in this embodiment is generated by carrying out the 
following steps: the random number generating 
means 402 generates a random integer r so that r 20 
and the modulus p are relatively prime 
(gcd(r, p) = 1 ); the random integer r is stored in the 
random number storing means 403; and the rand- 
omizing means 121 generates challenging data C 
according to the relation (34). 25 

C = r E C mod p (34) 



The integer C is stored in the challenge seed 30 
storing means 422. and satisfies the relation (35) 
for some data K. 

C = K E mod p (35) 

35 

The exponent E (access ticket public key) and 
the modulus p are both stored in the key storing 
means 401. 

3. The first calculation means 412 of the proving 
device 41 calculates an intermediate result R' 40 
according to the relation 36. 

An access ticket t to be used is stored in the access 
ticket storing means 113. 

FT = C x mod p (36) 45 

4. The exponent generation means 430 calculates 
F(p. e) by applying the collision-free function F to 
the modulus p. stored in the challenging data stor- 
ing means 111. and the user identifying information so 
e. stored in the user identifying information storing 
means 415. 

F(P. e) (37) 

55 

5. Receiving the result from the exponent genera- 
tion means 430. the second calculation means 414 
of the proving device 41 calculates a differential S 
according to the relation (38). 
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S = C Ffpe) modp (38) 

6. Receiving R' and S from the first calculation 
means 412 and the second calculation means 414, 
the response generation means 416 of the proving 
device 41 calculates a response R according to the 
relation (39). 

R = R'S" 1 mod p (39) 

In the relation (39), S* 1 denotes the reciprocal 
of S under the modulus p. Hence, S and S" 1 satisfy 
the relation (40). 

SS" 1 mod p = 1 (40) 

7. The proving device 41 returns the generated 
response R to the response storing means 405 of 
the verification device 40. 

8. The de-randomizing means 423 of the verifica- 
tion device 40 calculates K' according to the relation 
(41). 

K' = r~ 1 R mod p (41) 

In course of calculation, the means uses the 
random number r stored in the random number 
storing means 403 and the response R stored in 
the response storing means 405. 

Sixth Embodiment 

A sixth embodiment is substantially similar to the 
third embodiment except that the EIGamal public key 
cryptography is used this time instead of the RSA public 
key cryptgraphy. In this embodiment, the definition of an 
access ticket t is given as the relation (42). 

t = X + F(p. e) (42) 

The following bulleted paragraphs illustrate the 
symbols appearing in the relation (42). 

An integer p is a very large prime number. 
A user identifying information e is an integer allo- 
cated to each user. The user identifying information 
is unique to an individual user: a different user iden- 
tifying information is allocated to a different user. 
Let (X. Y) be an arbitrary .EIGamal asymmetric key 
parr assuming p is the modulus. Therefore the rela- 
tion (43) is satisfied. 

Y = G X modp (43) 

In the relation (43). G denotes an integer represent- 
ing a generator of the multiplicative group of the finite 
field of order p. 
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Equivalent!^ G satisfies the relations (44) and (45). 

G > 0 (44) 

min { x>0 | G* = 1 mod p} = p - l (45) s 

X is called an access ticket secret key. while Y is 
called an access ticket public key. 
A two variable function F(x, y) is an arbitrary colli- 
sion-free function. Practically, a collision -free func- io 
tion may be constructed using a one-way hash 
function h as the relation (46). 

F(x, y) = h(x | y) (46) 

Figs. 22 and 23 are for depicting this embodiment: 
Fig. 22 depicts the constitution of the devices of this 
embodiment; Fig. 23 depicts flow of data. 

In Fig. 22, a proving device 51 comprises the follow- 
ing means: a challenging data storing means 51 1 ; a first 
calculation means 512; an access ticket storing means 
513; a second calculation means 514; a user identifying 
information storing means 515; a response generation 
means 516; and an exponent generation means 530. 
On the other hand, a verification device 50 comprises 
the following means: an access ticket public key storing 
means 501 ; a random number generation means 502; a 
random number storing means 503; a response storing 
means 505; a randomizing means 521; a challenge 
seed storing means 522; a de- randomizing means 523; 30 
and an execution means 310. 

By the following numbered paragraphs, the function 
of the means constituting the devices will be described 
step by step. 

35 

1 . The verification device 50 is invoked by a user. 

2. The verification device 50 sends a pair (u, C) of 
challenging data and a modulus p to the challeng- 
ing data storing means 51 1 of the proving device 
51. The modulus p is stored in the access ticket 40 
public key storing means 501. On the other hand, 
the challenging data u and C is generated as fol- 
lows. The first component u is stored in the chal- 
lenge seed storing means 522, and satisfies the 
relation (47) for some secret random number z. 45 

u = G z modp (47) 



In the challenge seed storing means 522, one so 
more seed C is stored. C* satisfies the relation (48). 
for some crucial data K. (48) C = Y 2 K mod p 

Using this C as a seed, the other component C 
is generated as.follows. The random number gener- 
ating means 502 generates a random integer r so ss 
that r and the modulus p are relatively prime 
(gcd(r, p) = 1 ); the random integer r is stored in the 
random number storing means 503; the randomiz- 
ing means 521 generates challenging data C 



according to the relation (49). 

C = rC mod p (49) 

3. The first calculation means 512 of the proving 
device 51 calculates an intermediate result S 
according to the relation (50). 
An access ticket t to be used is stored in the access 
ticket storing means 513. 

S = u 1 mod p (50) 



S' = u^ pe, modp (52) 

6. Receiving S and S* from the first calculation 
means 512 and the second calculation means 514, 
the response generation means 516 of the proving 
device 51 calculates a response R according to the 
relation (53). 

R = S* 1 S'C modp (53) 

In the relation (53), S' 1 denotes the reciprocal 
of S over the modulus p. Hence, S and S* 1 satisfy 
the relation (54). 

SS" 1 mod p = 1 (54) 

7. The proving device 51 returns the generated 
response R to the response storing means 505 of 
the verification device 50. 

8. The de-randomizing means 523 of the verifica- 
tion device 50 calculates K' according to the relation 
(55). 

K' = r' 1 R mod p (55) 



In course of calculation, the means uses the 
random number r stored in the random number 
storing means 503 and the response R stored in 
the response storing means 505. 

The straightforward implementation of the above 



4. The exponent generation means 530 calculates 
F(p, e) by applying the collision-free function F to 

is the modulus p, stored in the challenging data stor- 
ing means 511, and the user identifying information 
e, stored in the user identifying information storing 
means 515. 

20 F(p, e) (51) 

5. Receiving the result from the exponent genera- 
tion means 530, the second calculation means 514 
of the proving device 51 calculates a differential S' 

25 according to the relation (52). 
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constitution would involve the following problem: use of 
a common pair of seeds for challenging data (u, C) for 
more than one occurrences of authentication allows an 
attacker to construct a device which emulates the prov- 
ing device 1 1 without the user identifying information or 5 
the access ticket. To construct such an emulator, 
H = RC-1 mod p is recorded first where C is the chal- 
lenging data at the first occurrence of authentication 
and R is the response to C calculated by the proving 
device 1 1 . The emulator retains this H instead of the w 
user identifying information e and the access ticket t, 
and on arbitrary input (u. C) issued by the verification 
device 10, returns to a response R calculated according 
to the relation R = HC mod p . Thus, the verification 
device 10 should have pairs of seeds (u 3 . C) as many 15 
as necessary, and should use distinct pair for distinct 
occurrence of authentication (Note that k for 
u = G z mod p is a random number). 

Seventh Embodiment 20 

A seventh embodiment exploits the EIGamal signa- 
ture rather than the RSA public key cryptography in the 
first three embodiments or the EIGamal public key cryp- 
tography in the sixth embodiment. 25 

In this embodiment, the definition of an access 
ticket t is given as the relation (56). 

t = X + F(p, e) (56) 

30 

The following bulleted paragraphs illustrate the 
symbols appearing in the relation (56). 

An integer p is a very large prime number. 

A user identifying information e is an integer alio- 35 

cated to each user. The user identifying information 

e is unique to an individual user: a different user 

identifying information is allocated to a different 

user. 

Let (X. Y) be an arbitrary EIGamal asymmetric key 40 
pair assuming p is the modulus. Therefore the rela- 
tion (57) is satisfied. 

Y - G X mod p (57) 

45 

In the relation (57), G denotes an integer represent- 
ing a generator of the multiplicative group of the finite 
field of order p. 

Equivalently, an integer G satisfies the relations 



(58) and (59). 50 
G > 0 (58) 
min { x>0 | G X = 1 mod p } = p - 1 (59) 

55 



X is called an access ticket secret key, while Y is 
called an access ticket public key. 

A two variable function F(x. y) is an arbitrary colli- 



28 

sion-free function. Practically, a collision-free func- 
tion may be constructed using a one-way hash 
function h as the relation (60) shows. 

F(x. y) = h(x I y) (60) 

Figs. 24 and 25 are for depicting this embodiment: 
Fig. 24 depicts the constitution of the devices of this 
embodiment; Fig. 25 depicts flow of data. 

In Fig. 24, a proving device 61 comprises the follow- 
ing means: a challenging data storing means 611; a 
random number generation means 612; a first calcula- 
tion means 613; a second calculation means 614; an 
access ticket storing means 615; and a user identifying 
information storing means 616. On the other hand, ver- 
ification device 60 comprises the following means: an 
access ticket public key storing means 601; a random 
number generation means 602; a random number stor- 
ing means 603; a response storing means 605; a verifi- 
cation means 606; a execution means 607; and an error 
trapping means 608. 

By the following numbered paragraphs, the function 
of the means constituting the devices will be described 
step by step. 

1 The verification device 60 is invoked by a user. 

2. The verification device 60 sends challenging 
data C, a modulus p and a generator G to the chal- 
lenging data storing means 611 of the proving 
device 61 . The modulus p and the generator G are 
stored in the access ticket public key storing means 
601. On the other hand, the challenging data u and 
C are generated as follows: the random number 
generation means 602 generates a random integer 
r so that r and the modulus n are relatively prime 
(gcd(r. n) = 1 ); the generated random integer r is 
stored in the random number storing means 603; 
finally, the random number generation means 602 
sets the value of C to r. As stated later in more 
detail, the response which the proving device 61 is 
to respond to the verification device 60 is EIGamal- 
signature of r with X as the signature key and p as 
the modulus. 

3. The random number generation means 612 of 
the proving device 61 generates a random integer k 
so that k and p are relatively prime (gcd(K p) = 1 ). 
Receiving the random integer k from the random 
number generation means 612 and the modulus p 
and the generator G from the challenging data stor- 
ing means 61 1 t the first calculation means 613 cal- 
culates a first component R of a response 
according to the relation (61): 

R = G k mod p (61) 



Concurrently, the second calculation means 
614 calculates a second component S of a 
response according to the relation (62). 
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S = (C - R (t ■ F(p, e)))^ 1 mod p - 1 (62) 

The access ticket t is stored in the access ticket 
storing means 615. and the modulus p and the 
challenging data C are stored in the challenging 
data storing means 61 1 . 

4. The proving device 61 returns the generated 
response R to the response storing means 605 of 
the verification device 60. 

5. The verification means 606 of the verification 
device 60 examines the relation (63). 

G r = Y R R s mod p (63) 

The random integer r is stored in the random 
number storing means 603; the response pair (R, 
S) is stored in the response storing means 605; the 
modulus p. the access ticket public key Y and the 
generator G are all stored in the access ticket public 
key storing means 601. 

Eighth Embodiment 

An eighth embodiment provides an example of 
specification for ways how to generate access tickets 
safely. 

In any case of the previous embodiments, access 
tickets are calculated as output of a predefined function 
on input of specific secret information, namely user 
identifying information and access ticket secret keys. 
Since leak of that secret information threatens the 
safety of the entire scheme of authentication, a safe 
device may be necessary in generating access tickets. 

Such a device is required to provide the function 
which absolutely prevents leakage of the secret infor- 
mation contained within it or results of calculations car- 
ried out within it. 

One of the simplest ways to constitute such a safe 
device is to implement services of generating and issu- 
ing access ticket to users on an isolated computer kept 
safe from any attempts at illegal accesses by users: in 
order to protect that server computer against physical 
accesses by users, the computer should be placed in a 
room entry into which is severely controlled; further, if 
the server computer is networked with users' PCs and 
access tickets are issued to users on network, the threat 
of attacks via network should be taken into account; in 
protecting the server computer from those network 
attacks, the firewall technology (for details see "Building 
Internet Firewalls" by D. Brent Chapman and Elizabeth 
D. Zwicky, O'Reilly & Associates, Inc.) maybe useful.. 

As shown in the previous embodiments, an access 
ticket is generated so. that only the user to whom the. 
ticket is issued can use it. Speaking more accurately, a 
user may succeed in authentication procedure between 
a verification device and a proving device if and only if 
he is able to feed to the proving device both an access 
ticket and user identifying information based on which 
the access ticket has been generated. 



Moreover, access tickets stated in the previous 
embodiments satisfy a stricter standard of safety: there 
is no way to forge an access ticket or to construct a 
device which emulates the proving device even though 
5 an attacker is assumed to be able to collect an arbitrary 
number of access tickets issued by legitimate access 
ticket issuers. 

The fact that access ticket satisfies the above 
standard implies that access tickets are safe enough to 
w be conveyed to users by relatively insecure means like 
electronic mails on Internet. 

Ninth Embodiment 

75 A ninth embodiment uses a composition method for 
an access ticket and user identifying information differ- 
ing from those of the previous embodiments: this 
method is different from those of the previous embodi- 
ments in that the public information associated with user 

20 identifying information is used instead of the user iden- 
tifying information itself in generating an access ticket. 

Therefore, according to the method stated below, a 
safe access ticket issuing server stated in the eighth 
embodiment is not necessary: a user is allowed to gen- 

25 erate an access ticket with a program executed on his 
own PC or workstation. That program doesnl contain 
any secret information or any secret algorithm. 

The identifying information of a user U is the private 
key dg of an RSA public key pair. By (e Ut n u ), the public 

30 key corresponding to the private key 6 U is denoted. 
Hence, n v = p u q u for two distinct large prime num- 
bers Pli and q Ut and dj and eu are integers determined 
so as to satisfy the relations (64). 

35 1 ^d u <(p u -1)(q u -1) (64) 

1 *e u <(Pu -1)(q u -1) 

e u 6 u - 1 mod 1)^-1) 

40 

Hereafter, the condition that n u is at least as large 
as a constant N common to all users is further 
assumed. 

An access ticket for a user U is composed as fol- 
45 lows: the public key (E, n) of an RSA public key pair is 
taken to be the public key of the access ticket to be gen- 
erated; the private key D which is paired with this public 
key (E, n) is taken to be the secret key of the access 
ticket; when the prime factorization of n is n = pq , the 
so relations 65 is established; finally, the access ticket is 
defined by the relation (66). 

1^.D<N (65) 

55 DE o i mod (p - 1)(q - 1) 

t u = D e u mod n u (66) 

In the above composition, the unique security char- 
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acteristic information for authentication process is the 
private key D. Same as the cases in the previous 
embodiments, a user succeeds in authentication proce- 
dures if and only if he is able to prove that he has means 
to calculate a right response to challenging data issued 5 
to him by a verification device: the calculated response 
is right only when it is calculated based on the unique 
security characteristic information D. 

The composition method presented in this embodi- 
ment is characterized by the property that an access 10 
ticket is encryption of the unique security characteristic 
information D and the user identifying information is the 
unique decryption key to obtain D from the access 
ticket. In addition, since the user identifying information 
is the private key of an RSA key pair, anybody who is is 
allowed to know the public key paired with the private 
key can generate an access ticket for the user at will. 

Hereafter, the device composition and operation of 
the proving device 71 are described with reference to 
Fig. 26. 20 



The access ticket secret key D in the definition of 
the access ticket t u = D e u modn u must be kept 
secret to the user U. Therefore, the user identifying so 
information storing means 713, the decryption key gen- 
eration means 712 and the response generation means 
714 are to be incorporated in a defense means 760 
which is a tamper-resistant hardware. 

The same as the cases of the previous embodi- 55 
ments, the verification device authenticates access 
rights of the user if and only if he has the right pair of the 
ticket ty and the user identifying information e. 



Tenth Embodiment 

A tenth embodiment is substantially the same as 
the ninth embodiment, except that a response R is cal- 
culated using a symmetric key cipher instead of using 
the RSA public key cryptography as in the ninth embod- 
iment and an access ticket is RSA-encryption of the 
decryption key (same as the encryption key) D of the 
symmetric key cipher. As the encryption key to generate 
the access ticket, the public key (ey. nu) and the RSA 
algorithm is used. 

When the encryption function of the symmetric key 
encryption is expressed as Encrypt (key. plain mes- 
sage: the output of this function being the cipher mes- 
sage of the plain message which is the second 
argument of the function) and the decryption function is 
expressed as Decrypt (key. cipher message: the output 
being the plain message corresponding to the cipher 
message which is the second argument of the function), 
the challenging data C is defined by relation (69). 

C = Encrypt (D. K) (69) 

Furthermore, the access ticket tU is defined by the 
relation (70). 

t u = D eU modn u (70) 

Hereafter, the operation of the proving device 1 1 is 
described with reference to Fig. 26. 

1 . A verification device 1 0 sends challenging data C 
to a challenging data storing means 71 1 . 

2. A decryption key generation means 712 of the 
proving device 1 1 acquires user identifying informa- 
tion dy which is stored in a user identifying informa- 
tion storing means 715 and an access ticket ty 
which is stored in an access ticket storing means 
713. and then calculates D* according to the rela- 
tion (71). 

D' = i u dU mod n y (71) 

3. On input of D* calculated by the decryption key 
generation means 712 and the challenging data C 
stored in the challenging data storing means 71 1 . a 
response generation means 714 of the proving 
device 1 1 calculates a response R according to the 
relation (72). The calculated response R is sent 
back to the verification device 10. 

R = Decrypt (D* C) (72) 

4. The verification device 10 verifies the legitimacy 
of the response R. 

The foregoing description of preferred embodi- 
ments of this invention has been presented for pur- 
poses of illustration and description, rt is not intended to 



1 . A verification device 1 0 sends challenging data C 
to a challenging data storing means 711 of a prov- 
ing device 71 . 

2. A decryption key generation means 712 of the 25 
proving device 71 acquires user identifying informa- 
tion d y which is stored in a user identifying informa- 
tion storing means 715 and an access ticket ty 
which is stored in an access ticket storing means 
713. and then calculates D* according to the rela- 30 
tion (67). 

D* = t u dU modn^j (67) 

3. On input of D' calculated by the decryption key 35 
generation means 712 and the challenging data C 
stored in the challenging data storing means 711 , a 
response generation means 714 of the proving 
device 71 calculates a response R according to the 
relation (68). The calculated response R is returned 40 
to the verification device 10. 

R = C° mod n (68) 

4. The verification device 10 verifies the legitimacy 45 
of the response R. 
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The device for authenticating user's access rights 
to resources of claim 1 further comprising: 

protect means 160 for preventing any data 
inside from being observed or being tampered 
with from the outside, at least confining the 
second memory means 115 and the response 
generation means 1 16. 

The device for authenticating user's access rights 
to resources of claim 1 , wherein 

at least the second memory means 115 and 
the response generation means 1 16 are imple- 
mented within a small portable device such as 
a smart card. 

The device for authenticating user's access rights 



w 



be exhaustive or to limit the invention to the precise form 
disclosed, and modifications and variations are possible 
in light of the above teachings or may be acquired from 
practice of the invention. The embodiments were cho- 
sen and described in order to explain the principles of 
the invention and its practical application to enable one 
skilled in the art to utilize the invention in various 
embodiments and with various modifications as are 
suited to the particular use contemplated. It is intended 
that the scope of the invention be defined by the claims 
appended hereto, and their equivalents. 

Claims 



1. A device for authenticating user's access rights to is 
resources comprising: 



first memory means 1 1 1 for storing challenging 
data 18; 

second memory means 1 15 for storing unique 
identifying information of the user 10; 
third memory means 1 13 for storing proof sup- 
port information 13 which is a result of execut- 
ing predetermined computations to the user 
unique identifying information 16 and unique 
security characteristic information of the device 
14; 

response generation means 1 16 for generating 
a response 19 from the challenging data 18 
stored in the first memory means 111, the 
unique identifying information of the user 16 
stored in the second memory means 1 1 5, and 
the proof support information 13 stored in the 
third memory means 113; and 
verification means 106 for verifying the legiti- 
macy of the response 19 by verifying that the 
response 19, the challenging data 18 and the 
unique security characteristic information of 
the device 14 satisfy a specific predefined rela- 
tion. 
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to resources of any of claims 1 through 3, wherein 

the response generation means 116 com- 
prises: 

first calculation means 712 for replaying the 
unique security characteristic information of 
the device 14 by executing predetermined cal- 
culations to the unique identifying information 
of the user 16 stored in the second memory 
means 115 and the proof support information 
13 stored in the third memory means 113; and 
second calculation means 71 4 for generating a 
response by executing predetermined calcula- 
tions to the challenging data 18 stored in the 
first memory means 1 1 1 and the unique secu- 
rity characteristic information of the device 14 
replayed by the first calculation means 712. 

The device for authenticating user's access rights 
to resources of any of claims 1 through 3, wherein 

the response generation means 116 com- 
prises: 

third calculation means 1 12 for generating first 
intermediate information by executing prede- 
termined calculations to the challenging data 
stored in the first memory means and the proof 
support information stored in the third memory 
means; 

fourth calculation means 114 for generating 
second intermediate information by executing 
predetermined calculations to the challenging 
data 18 stored in the first memory means 111 
and the user unique identifying information 16 
stored in the second memory means 115; and 
fifth calculation means 116 for generating a 
response by executing predetermined calcula- 
tions to the first intermediate information gen- 
erated by the third calculation means 112 and 
the second intermediate information generated 
by the fourth calculation means 114. 

The device for authenticating user's access rights 
to resources of claim 5, further comprising: 

protect means 160 for preventing any data 
inside from being observed or being tampered 
with from the outside, at least confining the 
second memory means 1 15 and the fourth cal- 
culation means 1 1 4. 

The device for authenticating user's access rights 
to resources of claim 5, wherein 

at least the second memory means 1 1 5 and 
the fourth calculation means 114 are imple- 
mented within a portable device such as a 
smart card. 
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8. The device for authenticating user's access rights 
to resources of any of claims 1 through 7, wherein 



9. The device for authenticating user's access rights 
to resources of any of claims 1 through 7, wherein 



10. The device for authenticating user's access rights 
to resources of any of claims 1 through 7, wherein 30 



11. The device for authenticating user's access rights 
to resources of daim 8 or 9, wherein 

the cipher function is of the asymmetric key as 
cryptography, and 

the unique security characteristic information 
of the device 14 is one component of the key 
pair of the cipher function. 

50 

12. The device for authenticating user's access rights 
to resources of claim 1 1 , wherein 



1 3. The device for authenticating user's access rights 
to resources of claim 8 or 9, wherein 

the cipher function is of the symmetric key 
cryptography, and 

the unique security characteristic information 
of the device 14 is the common key of the 
cipher function. 

14. The device for authenticating user's access rights 
to resources of any of claims 1 through 13, further 
comprising: 

a proving device 11 having the first memory 
means 111, the second memory means 115, 
the third memory means 113 and the response 
generation means 1 16; and 
a verification device 10 having fourth memory 
means for storing the challenging data 18, fifth 
memory means 105 for storing the response 
1 9 and the verification means 1 06, wherein 
the verification device 10 transfers the chal- 
lenging data 18 stored in the fourth memory 
means to the first memory means 111 of the 
proving device 1 1 , the proving device 1 1 trans- 
fers the response 18 generated by the 
response generation means 116 to the fifth 
memory means 105 of the verification device 
10. and the verification means 106 of the verifi- 
cation device 10 verifies the legitimacy of the 
response stored in the fifth memory means 
105. 

1 5. The device for authenticating user's access rights 
to resources of claim 14, wherein 

the unique security characteristic information 
of the device 1 4 is an encryption key of a cipher 
function, 

the verification device 10 comprises random 
number generation means 1 02 for generating a 
random number and for storing it in the fourth 
memory means, and 

the verification means 106 verifies the legiti- 
macy of the response by verifying that the 
response stored in the fifth memory means 105 
is identical with encryption of the challenging 
data stored in the fourth memory means 103 
with the encryption key. 

1 6. The device for authenticating user's access rights 
to resources of claim 14, wherein 

the unique security characteristic information 
of the device 14 is a decryption key of a cipher 
function, 

the verification device 10 comprises random 
number generation means 102 for generating a 
random number, sixth memory means 103 for 



the cipher function is of the public key cryptog- 
raphy, and 55 
the unique security characteristic information 
of the device 14 is the private key of the public 
key pair of the cipher function. 



the unique security characteristic information 
of the device 1 4 is a decryption key of a cipher 5 
function, 

the challenging data 18 is encryption of infor- 
mation using the cipher function with the 
encryption key corresponding to the decryption 
key, and w 
the verification means 106 verifies the legiti- 
macy of the response by verifying that the 
response 19 generated by the response gener- 
ation means 1 16 is identical with decryption of 
the challenging data with the decryption key. is 



the unique security characteristic information 20 
of the device 1 4 is an encryption key of a cipher 
function, and 

the verification means 106 verifies the legiti- 
macy of the response by verifying that the 
response 1 9 generated by the response gener- 25 
ation means 1 1 6 is identical with encryption of 
the challenging data with the encryption key. 



the characteristic information of the device 14 
is the signature key of a digital signature func- 
tion, and 

the verification means 106 verifies the legrti- 35 
macy of the response by verifying that the 
response 19 generated by the response gener- 
ation means 1 16 is identical with the digital sig- 
nature for the challenging data, which is 
calculated with the signature key 40 
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storing the generated random number and sev- 
enth memory means 122 for storing a seed for 
challenging data, and wherein 
the random number generation means 102 
stores the generated random number in the 5 
sixth memory means 103 while randomizing 
the seed for the challenging data stored in the 
seventh memory means 122 by executing pre- 
defined calculations to the random number 
stored in the sixth memory means 103 and the w 
seed stored in the seventh memory means 1 22 
and then storing the randomized seed as chal- 
lenging data in the fourth memory means, and 
the verification means 106 of the verification 
device 10 de-randomizes the response stored is 
in the fifth memory means 105 by executing 
predefined calculations to the random number 
stored in the sixth memory means 103 and the 
response stored in the fifth memory means 
105, and then verifies the legitimacy of the de- 20 
randomized response by verifying that the de- 
randomized result is identical with decryption of 
the seed stored in the seventh memory means 
1 22 with the decryption key which is the unique 
security characteristic information of the device 25 
14. 



17. The device for authenticating user's access rights 
to resources of datm 14, wherein 

30 

the unique security characteristic information 
of the device 1 4 is the signature key of a digital 
signature function, and 

the verification device 10 comprises random 
number generation means 1 02 for generating a 35 
random number and storing the generated ran- 
dom number as challenging data in the fourth 
memory means, and wherein 
the verification means 106 of the verification 
device 10 verifies the legitimacy of the 40 
response by verifying that the response stored 
in the fifth memory means 105 is identical with 
the digital signature for the challenging data 
stored in the fourth memory means, which is 
calculated with the signature key which is the 45 
unique security characteristic information of 
the device 14. 

18. The device for authenticating user's access rights 

to resources of daim 15. wherein 50 



gruent with the challenging data C stored in the 
fourth memory means modulo n 
( R mod n = C mod n ) . 

1 9. The device for authenticating user's access rights 
to resources of claim 16. wherein 

the unique security characteristic information 
of the device 1 4 is the private key D of an RSA 
public key pair with a modulus n, 
a seed C* for challenging data stored in the sev- 
enth memory means 122 is an RSA-encryption 
of data K with the public key E of the RSA pub- 
lic key pair (DE mod 4> (n) = 1 , 
C = K E modn). 

a random number r generated by the random 
number generation means 102 is stored in the 
sixth memory means 1 03, 
challenging data C generated and stored in the 
fourth memory means satisfies the relation 
C = r E C mod n , and 

the verification means 106 verifies the legiti- 
macy of the response R stored in the fifth mem- 
ory means 105 by verifying that the quotient of 
R divided by r modulo n is congruent with the 
data K modulo n ( K mod n = r-1 R mod n ). 

20. The device for authenticating user's access rights 
to resources of claim 18 or 19, wherein 

a proof support information t 13 stored in the 
third memory means 113 satisfies the relation 
t = D - e + w <t> (n) , where e denotes user 
unique identifying information 16 stored in the 
second memory means 1 1 5, w denotes a con- 
flict-free random number determined depend- 
ent upon both n and e and <(> (n) denotes the 
Euler number of n, and 

the response generated by response genera-, 
tion means 1 16 is identical with the D-th power 
of challenging data C stored in the first memory 
means 111 modulo n ( R = C 0 mod n ). 

21. The device for authenticating user's access rights 
to resources of claim 20, wherein 

the response generation means 116 further 
comprises: 

third calculation means 112 for calculating the 
t-th power of challenging data C stored in the 
first memory means 111 modulo n (C ! mod n), 
where t denotes proof support information 13 
stored in the third memory means 113; 
fourth calculation means 1 14 for calculating the 
e-th power of the challenging data C modulo n 
(C e mod n), where e denotes user unique iden- 
tifying information - 1 6 stored in the second 
memory means 1 1 5; and 
fifth calculation means 116 for calculating a 



the unique security characteristic information 
of the device 14 is the private key D of an RSA 
public key pair with a modulus n, and 
the verification means 106 verifies the legiti- 55 
macy of the response by verifying that the E-th 
power of the response R stored in the fifth 
memory means 105. where E denotes the pub- 
lic key associated with the private key D, is con- 
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response R by multiplying the result calculated 
by the third calculation means 1 12 by the result 
calculated by the fourth calculation means 114 
modulo n (R = C ! C e mod n ). 

22. The device for authenticating user's access rights 
to resources of claim 21 , further comprising: 

protect means 160 for preventing any data 
inside from being observed or being tampered w 
with from the outside, confining the second 
memory means 1 15 and the fourth calculation 
means 114. 

23. The device for authenticating user's access rights is 
to resources of claim 18 or 19, wherein 

proof support information t 13 stored in the 
third memory means 113 satisfies the relation 
t = D + F(n, e) . where e denotes user unique 20 
identifying information 16 stored in the second 
memory means 1 1 5, and F(x, y) denotes a two- 
variable collision-free function, and 
a response generated by the response genera- 
tion means 1 16 is identical with the D-th power 25 
of challenging data C stored in the first memory 
means 1 1 1 modulo n (R = C D mod n ). 

24. The device for authenticating user's access rights 

to resources of claim 23, wherein 30 

the response generation means 116 further 
comprises: 

third calculation means 112 for calculating the 
t-th power of challenging data C stored in the 35 
first memory means 111 modulo n, where t 
denotes the proof support information 13 
stored in the third memory means 1 13 (C 1 mod 
n); 

fourth calculation means 1 1 4 for calculating the 40 
F(n, e)-th power of the challenging data C mod- 
ulo n (C F(n e) mod n). where e denotes the user 
unique identifying information 16 stored in the 
second memory means 115 and F(x, y) 
denotes a two-variable collision-free function; 45 
and 

fifth calculation means 116 for calculating a 
response R by dividing the result calculated by 
the third calculation means 112 by the result 
calculated by the fourth calculation means 114 so 
modulo n ( R = C 1 C " F(n e) mod n ). 

. 25. The device for authenticating user's access rights 
to resources of claim 24. further comprising: 

55 

protect means 160 for preventing any data 
inside from being observed or being tampered 
with from the outside, confining the second 
memory means 1 15 and the fourth calculation 



means 114. 

26. The device for authenticating user s access rights 
to resources of claim 1 5, wherein 

the unique security characteristic information 
of the device 14 is a key D of a Pohlig-Hellman 
key pair of a modulus p. and 
the verification means 106 verifies the legiti- 
macy of the response by verifying that the E-th 
power of the response R stored in the fifth 
memory means 105. where E denotes the 
counterpart key of the key D 
(DE mod (p-1) = 1 ), is congruent with the chal- 
lenging data C stored in the fourth memory 
means modulo p ( R E mod p = C mod p ). 

27. The device for authenticating user's access rights 
to resources of claim 16. wherein 

the unique security characteristic information 
of the device 14 is a key D of a Pohlig-Hellman 
key pair of a modulus p. 
a seed C for challenging data stored in the sev- 
enth memory means 422 is Pohlig-Hellman- 
encryption of data K with the counterpart key E 
of the key D (DE mod (p-1) = 1 , 
C'= K E modp). 

a random number r generated by the random 

number generation means 402 is stored in the 

sixth memory means 403. 

challenging data C stored in the fourth memory 

means satisfies the relation C = r E C mod p , 

and 

the verification means 106 verifies the legiti- 
macy of the response R stored in the fifth mem- 
ory means 405 by verifying that the quotient of 
R divided by r modulo p is congruent with the 
data K modulo p (K mod p = r~ 1 Ft mod p ). 

28. The device for authenticating user's access rights 
to resources of claim 26 or 27, wherein 

proof support information t 13 stored in the 
third memory means 413 satisfies the relation 
t = D + F(p, e) . where e denotes the user 
unique identifying information 16 stored in the 
second memory means 415, and F(x. y) 
denotes a two-variable collision -free function, 
and 

a response generated by the response genera- 
tion means 416 is identical with the D-th power 
. of challenging data C stored in the first memory 
means 41 1 modulo p ( R = C D mod p ). 

29. The device for authenticating user's access rights 
■ to resources of claim 28. wherein 

the response generation means 416 further 
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comprises: 

third calculation means 412 for calculating the 
t-th power of challenging data C stored in the 
first memory means 411 modulo p. where t 
denotes the proof support information 13 5 
stored in the third memory means 413 (C ! mod 

p); 

fourth calculation means 414 for calculating the 
F(p, e)-th power of the challenging data C mod- 
ulo p (C F < p - e > mod p). where e denotes the user w 
unique identifying information 16 stored in the 
second memory means 415 and F(x, y) 
denotes a two- variable collision-free function; 
and 

fifth calculation means 416 for calculating a is 
response R by dividing the result calculated by 
the third calculation means 412 by the result 
calculated by the fourth calculation means 414 
modulo p (R = C l C" F(p,e) modp). 

20 

30. The device for authenticating ler's access rights 
to resources of claim 29, furthe.- comprising: 

protect means 160 for preventing any data 
inside from being observed or being tampered 25 
with from the outside, confining the second 
memory means 415 and the fourth calculation 
means 414. 

31 . The device for authenticating user's access rights 30 
to resources of claim 16, wherein 

the unique security characteristic information 
of the device 14 is the private key X of an EIGa- 
mal public key pair with a modulus p and a gen- 35 
erator G, 

the public key Y corresponding to X is the X-th 
power of G modulo p (Y = G x mod p ). 
u denotes the z-th power of the modulo p 
(u = G z mod p ) for a random number z. 40 
K' denotes the product modulo p of the z-th 
power of Y modulo p and a data K 
(K' = Y z Kmodp), 

the seventh memory means 522 retains the 
pair of u and K\ 45 
a random number r generated by the random 
generation means 602 is stored in the sixth 
memory means 603, 

C denotes the product modulo p of K' and r 
(C = rrC modp), 50 
the fourth memory means retains the pair C 
and u, and 

the verification means 106 verifies the legiti- 
macy of the response R stored in the fifth mem- 
ory means 505 by verifying that the quotient of 55 
B divided by r modulo o is congruent with K 
modulo p (K mod p = r R mod p). 

32. The device for authenticating user's access rights 
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to resources of claim 31 , wherein 

proof support information t 13 stored in the 
third memory means 513 satisfies the relation 
t = D + F(p, e) , where e denotes the user 
unique identifying information 16 stored in the 
second memory means 515 and F(x, y) 
denotes a two-variable collision-free function, 
and 

a response R generated by the response gen- 
eration means 516 is identical with the quotient 
of C divided by X-th power of u modulo p 
(R = u* Cmod p). where the pair C and u is 
the challenging data stored in the first memory 
means 511. 

33. The device for authenticating user's access rights 
to resources of claim 32, wherein 

the response generation means 516 further 
comprises: 

third calculation means 512 for calculating the 
t-th power of the component u of the challeng- 
ing data pair stored in the first memory means 
511 modulo p. where t denotes proof support 
information stored in the third memory means 
513 (ut mod p); 

fourth calculation means 514 for calculating the 
F(p, e)-th power of u modulo p (u F(pe) mod p), 
where e denotes the user unique identifying 
information 16 stored in the second memory 
means 515 and F(x. y) denotes a two-variable 
collision-free function; and 
fifth calculation means 516 for calculating a 
response R by dividing the product of the other 
component C of the challenging data pair and 
the result calculated by the fourth calculation 
means 514 by the result calculated by the third 
calculation means 512 modulo p. 
(R = Cu F(n - 6) u :| modp). 

34. The device for authenticating user's access rights 
to resources of claim 33, further comprising: 

protect means 160 for preventing any data 
inside from being observed or being tampered 
with from the outside, confining the second 
memory means 515 and the fourth calculation 
means 514. 

35. The device for authenticating user's access rights 
to resources of claim 1 7, wherein 

the unique security characteristic information 
of the device 1 4 is the signature key X of an 
EIGamal public key pair with a modulus p and a 
generator G. 

the public key Y corresponding to X is the X-th 
power of G modulo p ( Y = G mod p ), 
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a response stored in the frfth memory means 
605 is a pair of R and S. and 
the verification means 606 verifies the legiti- 
macy of the response R stored in the fifth mem- 
ory means 605 by verifying that the C-th power s 
of G for the challenging data C stored in the 
fourth memory means is congruent modulo p 
with the product of the R-th power of Y and the 
S-th power of R (G C mod p = Y R R s mod p ). 

10 

36. The device for authenticating user's access rights 
to resources of claim 35. wherein 

proof support information t 13 stored in the 
third memory means 613 satisfies the relation 15 
t = D + F(p, e) . where e denotes the user 
unique identifying information 16 stored in the 
second memory means 616, and F(x, y) 
denotes a two-variable collision -free function, 
and 20 
the response generation means 1 16 generates 
a response pair R and S by carrying out the fol- 
lowing steps of: 

generating a random number k; 

calculating R as the k-th power of G modulo p 25 

(R = G k mod p); and 

calculating S according to the relation 
S= (C-RXJk 1 mod (p-1). 

37. The device for authenticating user's access rights 30 
to resources of claim 36, further comprising: 

protect means 160 for preventing any data 
inside from being observed or being tampered 
w'rth from the outside, confining the second 35 
memory means 616 and the fourth calculation 
means 614. 

. 38. The device. for authenticating user's access rights 

to resources of claim 4, wherein 40 

the user unique identifying information 16 
stored in the second memory means 715 is a 
decryption key of a cipher function, 
the proof support information 13 stored in the 45 
third memory means 713 is an encryption of 
the unique security characteristic information 
of the device with the encryption key corre- 
sponding the decryption key. and 
the first calculation means 712 calculates the so 
unique security characteristic information of 
the device 14 by decrypting the proof support 
information stored in the third memory means 
713 with the decryption key stored in the sec- 
ond memory means 715. 55 

39. The device for authenticating user's access rights 
to resources of claim 38. wherein 
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the cipher function is of the asymmetric key 
cryptography, and 

the user unique identifying information 16 is a 
component of the key pair of the cipher func- 
tion. 

40. The device for authenticating user's access rights 
to resources of claim 39. wherein 

the cipher function is of the public key cryptog- 
raphy, and 

the user unique identifying information 16 is the 
private key of the public key pair of the cipher 
function. 

41. The device for authenticating user's access rights 
to resources of claim 38. wherein 

the cipher function is of the symmetric key 
cryptography, and 

the user unique identifying information 1 6 is the 
common secret key of the cipher function. 

42. The device for authenticating user's access rights 
to resources of claim 8 or 16, wherein 

the verification device 10 further comprises: 
eighth memory means 310a for storing a clear 
data encryption of which is the challenging 
data or the seed for challenging data stored in 
the first memory means 111; and 
comparison means 310b for examining 
whether the clear data stored in the eighth 
memory means 310a is identical with data 
inputted to the comparison means 310b. and 
wherein 

the verification means 106 feeds the response 
or the de-randomized value of the response 
stored in the fifth memory means 105 to the 
comparison means 310b. receives the answer 
from the comparison means 310b, and thereby 
the verification means 106 verifies the legiti- 
macy of the response if and only if the received 
answer shows that the clear data stored in the 
eighth memory means 310a is identical with 
the data inputted to the comparison means 
310b. 

43. The device for authenticating user's access rights 
to resources of claim 8 or 1 6, wherein 

the verification device 10 further comprises: 
ninth memory means 310a for storing a value 
obtained by applying a one-way function to 
clear data encryption of which is the challeng- 
ing data or the seed for challenging data stored 
in the seventh memory means 122; 
sixth calculation means 310c for outputting a 
value calculated by applying the one-way func- 
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tion to an inputted data; and 
comparison means 310b for examining 
whether the value stored in the ninth memory 
means 310a is identical with data inputted to 
the comparison means 310b, and wherein 5 
the verification means 1 06 feeds the response 
or the de-randomized value of the response to 
the sixth calculation means 310c, receives a 
result from the sixth calculation means 310c, 
feeds the result to the comparison means 3 1 0b w 
and receives an answer from the comparison 
means 310b, and thereby the verification 
means 106 verifies the legitimacy of the 
response if and only if the received answer 
shows that the result of the calculation by the is 
sixth calculation means 310c is identical with 
the data stored in the ninth memory means 
310a. 

44. The device for authenticating user's access rights 20 
to resources of claim 8 or 16, wherein 

the verification device 10 further comprises: 
program execution means 310 for executing 
code of a program encryption of which is the 25 
challenging data stored in the seventh memory 
means 122, and wherein 
the verification means 106 feeds the response 
stored in the fifth memory means 105 as pro- 
gram code to the program execution means 30 
310, and 

the program execution means 310 correctly 
functions if and only if the response generation 
means 116 correctly decrypts the challenging 
data which is an encryption of the code of the 35 
program, that is. the encryption of the program 
is correctly decrypted. 

45. The device for authenticating user's access rights 

to resources of claim 8 or 1 6, wherein 40 

the verification device 10 further comprises: 
program execution means 310; 
program storing means 310g; and 
program decryption means 31 Oh, and wherein as 
the program storing means 3 1 0g stores code of 
a program a part or all of which is encrypted, 
an encryption of the decryption key for the par- 
tial or whole encrypted program code is the 
challenging data stored in the seventh memory so 
means 122, 

the verification means 106 feeds the response 
to the program decryption means 3 1 0h. 
the program decryption means 31 Oh decrypts 
the program stored in the program storing 55 
means 310g with the response as a decryption 
key, and 

the program execution means 310 correctly 
executes the decrypted program if and only if 



the response generation means 116 correctly 
decrypts the challenging data, that is. the 
decryption key for decrypting the encryption of 
the program is correctly decrypted. 

46. The device for authenticating user's access rights 
to resources of claim 14, wherein 

the proving device 11 and the verification 
device 10 are installed in a box material, and 
the verification device 10 transfers the chal- 
lenging data 18 stored in the fourth memory 
means to the first memory means 111 of the 
proving device 1 1 and the proving device 1 1 
transfers the response 19 generated by the 
response generation means 116 to the fifth 
memory means 105 of the verification device 
1 0 without using a communication network out- 
side of the box material. 

47. A method for authenticating user's access rights to 
resources by verifying the legitimacy of a response 
generated from challenging data for proving the 
user's access rights, comprising: 

a step for storing the challenging data; 

a step for storing unique identifying information 

of the user; 

a step for storing proof support information 
which is a result of predetermined computa- 
tions to the unique identifying information of the 
user and unique security characteristic infor- 
mation; 

a step for generating a response by executing 
predetermined computations to the challenging 
data, the unique identifying information of the 
user and the proof support information; and 
a step for verifying the legitimacy of the 
response by verifying that the response, the 
challenging data and the unique security char- 
acteristic information satisfy a specific prede- 
fined relation. 

48. A computer program product for use with a compu- 
ter, the computer program product comprising: 

a computer usable medium having computer 
readable program code means embodied in 
the medium for causing the computer to 
authenticate user's access rights to resources 
by verifying the legitimacy of a response 19 
generated from challenging data 18 for proving 
the user's access rights, the computer program 
product having: 

computer readable program code means for 
causing the computer to store the challenging 
data 18; 

computer readable program code means for 
causing the computer to store unique identify- 
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ing information of the user 1 6; 
computer readable program code means for 
causing the computer to store proof support 
information 13 which is a result of predeter- 
mined computations to the unique identifying 5 
information of the user 16 and unique security 
characteristic information 14; 
computer readable program code means for 
causing the computer to generate a response 
1 9 by executing a predetermined computations 10 
to the challenging data 18, the unique identify- 
ing information of the user 16 and the proof 
support information 13; and 
computer readable program code means for 
causing the computer to verify the legitimacy of is 
the response 19 by verifying that the response 
19, the challenging data 18 and the unique 
security characteristic information 14 satisfy a 
specific predefined relation. 

20 

49. A computer program product for use with a compu- 
ter, the computer program product comprising: 



50. A program execution control device for authenticat- so 
ing user's access rights to resources by verifying 
the legitimacy of a response generated from chal- 
lenging data for proving the user's access rights 
and controlling execution of a program based on 
the authentication of the user's access rights, com- 55 
prising: 



second memory means 1 15 for storing unique 
identifying information of the user 16: 
third memory means 1 1 3 for storing proof sup- 
port information 13 which is a result of prede- 
termined computations to the unique 
identifying information of the user 16 and 
unique security characteristic information of 
the device 14; 

response generation means 1 16 for generating 
a response 19 by executing predetermined 
computations to the challenging data 18, the 
unique identifying information of the user 16 
and the proof support information 13; 
verification means 106 for verifying the legiti- 
macy of the response 19 by verifying that the 
response 19, the challenging data 18 and the 
unique security characteristic information 14 
satisfy a specific predefined relation; and 
continuation means for continuing execution of 
the program if the legitimacy of the response is 
verified. 

51. An information processing apparatus for authenti- 
cating user's access rights to specific information 
processing resources by verifying the legitimacy of 
a response 19 generated for proving the user's 
access rights and permitting access to the specific 
information processing resources, comprising: 

first memory means 1 1 1 for storing challenging 
data 18; 

second memory means 1 1 5 for storing unique 
identifying information of the user 16; 
third memory means 1 13 for storing proof sup- 
port information 13 which is a result of prede- 
termined computations to the unique 
identifying information of the user 16 and 
unique security characteristic information 14; 
response generation means 1 16 for generating 
a response 19 by executing predetermined 
computations to the challenging data 18, the 
unique identifying information of the user 16 
and the proof support information 13; 
verification means 106 for verifying the legiti- 
macy of the response 19 by verifying that the 
response 19, the challenging data 18 and the 
unique security characteristic information 14 
satisfy a specific predefined relation; and 
permission means for permitting access to the 
specific information processing resources if the 
legitimacy of the response is verified. 



a computer usable medium having computer 
readable program code means embodied in 25 
the medium for causing the computer to gener- 
ate a response 19 from challenging data 18. 
the legitimacy of which is to be verified for 
authenticating user's access rights, the compu- 
ter program product having: 30 
computer readable program code means for 
causing the computer to store the challenging 
data 18; 

computer readable program code means for 
causing the computer to store unique identify- 35 
ing information of the user 1 6; 
computer readable program code means for 
causing the computer to store proof support 
information 13 which is a result of predeter- 
mined computations to the unique identifying 40 
information of the user 16 and unique security 
characteristic information 14; and 
computer readable program code means for 
causing the computer to generate a response 
19 by executing predetermined computations 45 
to the challenging data 18, the unique identify- 
ing information of the user 16 and the proof 
support information 1 3. 



first memory means 111 for storing challenging 
data 18; 
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(57) Abstract 

An entity such as a smart card (30) includes micropro- 
cessor means (36), input/output means (44) and PROM sto- 
rage means (42) which stores a set of transformations Sj (i= 1, 
n) of a corresponding set of public factors F s (i « 1, n), 
where S t « Fj d (mod N), d being the secret key counterpart 
of a public key e associated with the modulus N, which is 
the product of two primes. An authentication device (32) 
which stores the public factors Fj and the values of N and e, 
generates an n-bit random vector V = vj which is transmit- 
ted to the card (30) where a product Y of the values Si se- 
lected according to the 1-bits of V is computed and trans- 
mitted to the authentication device (32) which computes 
X act = Y« (mod N) and also computes X re f, the product of 
the Fi selected according to the 1-bits of V. If X ?ct and X re r 
are equal, then the card is authenticated to within a certain 
probability. An analogous method is disclosed for certify- 
ing messages to be transmitted. In further embodiments, a 
higher degree of security is achieved by arranging for the 
entity being authenticated, or the certifying entity, to select 
an additional secret factor or plurality of secret factors. 
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METHOD AND DEVICE FOR AUTHENTICATION 

This invention relates to the authentication of devices 
and messages. 

It is a common requirement to verify the authenticity of 
data which may represent monetary value or may imply the 
authenticity of the entity generating that data. 

To impede forgery, only a manufacturing source which 
produces entities should possess the means to produce 
authentication devices for the entities. This implies 
that the source must possess some secret. The diffi- 
culty in proving authenticity is in providing the means 
to the authenticator to achieve that proof. Many 
systems employ an algorithm driven by a secret key such 
that a data string passed through the algorithm results 
in a secret transformation of that data. The data so 
transformed is used as an authentication certificate or 
code which may be tested by an authenticator. One 
method of testing involves the authenticator in perform- 
ing the same secret transformation of the data to yield 
an authentication certificate which is compared for 
equality with that provided by the source entity. 

The problem with this technique is that the authentica- 
tor must duplicate the data manipulation by the source 
so as to compare the result for equality. This means 
that an authenticator can forge an authentication 
certificate and claim that it emanated from the source. 
Another problem is that the authenticator must also have 
knowledge of the key. This problem is particularly 
acute if several entities need to authenticate another 
entity, since each must possess the secret key. 
Disclosure of this key by one authenticator therefore 
compromises all authenticators and the source. 
Furthermore, the secret key must be securely distributed 
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to each potential authenticator prior to the event. 
This therefore limits the ability to authenticate to 
only those trusted entities which were anticipated to 
require the function. 

Where it may be necessary for a large number of unpre- 
dictable entities to possess the ability to authenticate 
another entity, the use of secret key algorithms is 
somewhat impractical* Further, when it is desirable 
that the authenticator be completely denied the ability 
to forge an authentication certificate the duplicative 
equality test method cannot be employed- 

Another* k'hown technique employs the art of public key 
cryptography wherein an asymmetrical algorithm is used. 
Pubiic key cryptography is described in the articles 
Communications of the ACM, vol. 21, No» 2, February 
1978, pages 120-12S, LL. Rivest et al. n A Method for 
Obtaining Digital Signatures and Public Key Crypto- 
systems" o In this known technique, a data element or a 
change sensitive compression of a data string is 
enciphered using a secret key or procedure- Authenti- 
city is proven by obtaining the original data element 
(or change sensitive compression) which is used as a 
reference value and then using a public key or procedure 
to decipher the data supplied by the source. Equality 
of the deciphered data with the reference data implies 
that the secret key or procedure was employed and thus 
that the data is authentic o 

This technique permits any entity to know the public key 
or procedure with which to prove the authenticity, of 
data emanating from an entity possessing the complemen- 
tary secret key or procedure « Consequently, the key^ 
distribution problem is significantly eased as prior 
knowledge and secrecy are not required „ 
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However, the publicly known procedure must not. permit 
the secret key or procedure to be easily determined., 
Generally r the algorithms possessing this property 
require substantial computing power to perform the 
secret procedure* This usually renders them unsuitable 
for low cost devices where operational speed is a 
requirement- If multiple portable devices or the data 
emanating from them must be able to be tested for 
authenticity/ then the secret key and algorithm must be 
contained in each device. In this case* disclosure of 
the secret key in one device will compromise all similar 
devices o 

This technique is therefore not practical for low cost 
replicated devices » 

European Patent Application No„ 0 252 499 discloses a 
method for creating a unique card identifier in the form 
of a "smart card" which involves selecting a modulus 
which is a product of two primes, preparing a string of 
information unique to the card identifier, utilizing a 
pseudo-random function to transform such string and a 
plurality of selected indices to derive an associated 
plurality of values which are quadratic residues with 
respect to the modulus, computing the square roots of 
the reciprocals of the quadratic residues, and recording 
the information string, such square roots and the 
related indices in the card identifier o Such card is 
authenticated by transmitting the information string and 
the selected indices from the card to a verification 
device and generating in the verification device the 
quadratic residues utilizing the pseudo-random function, 
selecting in the card a random number, computing the 
squared value of the random number and transmitting such 
squared value from the card to the verification device, 
generating in the verification device a random vector 
which is sent to the card, computing in the card the 
product of the 'random number and a selection of the 
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stored square root values dependent on the random 
vector r transmitting the product to the verification 
device, squaring the transmitted product and multiplying 
such squared value by a selection of the computed 
quadratic residue values selected in accordance with the 
random vector, and checking that the result value is 
equal to the squared random number « This known method 
is complex and in particular involves the selection and 
utilization of quadratic residue values o 

It is an object of the present invention to provide a 
relatively simple method and apparatus for the authenti- 
cation of devices and messages- 

Therefore , according to a first aspect of the present 
invention, there is provided a method of manufacturing 
an entity, including the steps of s 

(a) selecting a modulus N which is a product of at least 
two prime numbers; 

(b) selecting an integer e which is relatively prime to 
c£(N) r where <p(N> is Euler's totient function of N; 
and 

(c) determining an integer d such that e«d = 1 (mod 
<p(N))r characterized by the steps of 2 

(d) selecting a set of n public factors 
Fir o c o , F n (0<Fi<N) ; 

(e) calculating Sj[ = F£ d (mod U) for i=l f 000, n; and 

(f) storing the n values Sj[ (i=l, 000, n) and the 
value N in said entity* 

According to a second aspect of the invention, there is 
provided a method of authenticating an entity according 
to the first aspect of the invention, characterized by 
the steps of: 

(j) placing said entity in communication with an 

authentication device; 
(k) generating in said authentication device an n-bit 
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binary string V = (i=l, . n) 
(1) transmitting said binary string V to said entity; 
(ra) calculating, in said entity 

Y =7~T s i {lnod N) ' 

Vi =l 

(n) transmitting Y to said authentication device; 
(o) calcula ting , in said authentication device 
X re f = | | Pj, (mod N); and 

Vi = l 

Xact = yG (mod N) ; and 
(p) comparing X re f and X aC f 

According to a third aspect of the invention, there is 
provided a method of certifying a message M generated by 
or presented to an entity manufactured according to the 
first aspect of the invention, characterized by the 
steps of: 

(q) computing a change-sensitive transformation H of 

said message M; 
(c) generating an n-bit binary string 

V = vi (i=l, n) . using the computed value 
of H ; 

(s) comp uti ng 

y = | | Sj[ (mod N) ; and 
Vi =l 

(fc) appending Y as a message authentication code (MAC) 
certificate to said message M. 

According to a fourth aspect of the invention , there is 
provided an entity including processing means, input/ 
output means and memory means, characterized in that 
said memory means has stored therein a modulus N which 
is -the product of at least two prime numbers and a set 
of n factors Si (i=l, n) where 

Si = Fi d (mod N) . 
where d is the secret key counterpart of a public key e, 
associated with the modulus N, and ? i (i=l, n) are 

n public factors, (KFiCN, and wherein said processing 
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means is adapted to compute 



S,- (mod N) 

Vi=l 



where V = is an n-bit binary string. 

According to a fifth aspect of the invention, there is 
provided an authentication device for use with an entity 
according to the fourth aspect of the invention, includ- 
ing further processing means, further input/output means 
and further memory means, characterized in that said 
further memory means has stored therein said n public 
factors Fi (i=l, <,<,<>, n) , said modulus N, and said 
public key e, and wherein said further processing means 
is adapted to compute 



X act = Y e (mod N) 
using the stored values of Fi, N and e, and to compare 
X re f with X act - 

Embodiments of the present invention will now be 
described by way of example, with reference to the 
accompanying drawings, in which:- 

Fig« 1 is a block diagram showing the procedure utilized 
by a card issuer in creating a smart card; 

Figo 2 is a block diagram of a card in operative 
association with a card acceptor device; 

Fig„ 3 is a block diagram of a message source unit; 

Fig. 4 is a block diagram of a message authentication 
unit; and 




Fi (mod N) ; and 



Fig. 5 is a diagram showing the 
in an alternative embodiment of 



map 
the 



of a memory 
invention* 



utilized 
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Firstly/ the theoretical basis underlying the invention 
will be explained, as an aid to understanding the 
invention o It is known that, if N is the product of (at 
least) two prime numbers P r Q, i«,eo, if 
N = PoQ; 

and if e is relatively prime to cp(N) , where 

CJ>(N) = (P-l) o (Q-l) 
is Euler's totient function (the number of integers less 
than N which are relatively prime to N) , then, in 
modulus N arithmetic, a value d can be determined (see 
for example, the aforementioned article by Rivest et al) 
which is the multiplicative inverse of e such that 

e,d = 1 (mod <p(N> ) <, 
The value d is commonly referred to as the secret key 
counterpart of the public key e- 

Thus, if 

X = Y e (mod N) , 

then 

Y = X d (mod N) 
for all values of Y, 0<Y<N« 

Furthermore, if 

X = Fi o F2 o o o o F n (mod N) (1) 
where Fj[ (i = 1, oo„ , n) are integer values, with 



0<Fi<N 



then 




F n d (mod N) 



and 



(rood N) = (Fi d (rood N) . F2 d (mod N) 



c n 

(mod N) } 
(mod N) 



Let 



= Fi d (mod N) ; i=l , 



(2) 



Then 



(mod N) «= Si . S2 • • - S n (mod N) 



Let 



Y 



X d (mod N) 
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Therefore 

Y « Si o S 2 ooo S n (mod N) (3) 
Let V represent a binary string of n bits, V = v^ o„o v n 
such that each bit V£ of V is a flag indicating the 
inclusion of the corresponding Pj, « <, o , F n and S^, ooo, 
S n in t he c alculation of X and Y respectively, so that 

x -TTfi 

(mod N) «, (4) 

Vi =l 
From (3) . 

Y = I I Si (mod N) (5) 

Therefore f provided that the N anci d values employed in 

(1) and (2) satisfy the ab ove requirements, then 

X = ( | Fi (mod N) ={{•/ Si (mod N)} a (mod N) 
Vi=l Vi=l 

= Y e (mod N) 

for all values of Fi, 0<Fi<N« 

With the above in mind, a first embodiment of the 
invention will now be described, wherein multiple low 
cost devices, in the form of entities which will be 
referred to in the descriptions of the preferred 
embodiments as smart cards, are produced by a card 
issuer and distributed to individuals . The embodiment 
enables such issued cards to be expeditiously 
authenticated by verifying devices „' 

Referring first to Fig 1, a card issuer selects, as 
shown at box 12, a plurality of n public factors Fi 
(i=l, o„„, n) , where 0<Fi<N, and such factors, together 
with the value of the modulus N and the value of e are 
made publicly available to authenticators , that is, 
organizations which may wish to authenticate smart cards 
issued by the smart card issuer . In a particular 
application a suitable value for n is 32, and the value 
of N is in the range 2 512 <N<2 513 * 



The card issuer computes the n values Si, where 
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S i = Fi d (mod N) i=l, ooo, n 
as shown at box 14c- using provided values of N and d 
(box 16) , where d is maintained secret- These values 
are also maintained secreto The card issuer then issues 
cards which contain n values Si (i=l, q oo, n) stored in 
a secure manner, for instance in a secure PROMo It 
should be understood that by a "secure PROM" herein is 
meant a PROM the contents of which are protected from 
unauthorized read-out, for example, such protection may 
involve software protection and hardware protection in 
the form of shielding o 

When it is desired to authenticate a smart card 30, Fig« 
2, the card 3 0 is inserted into a card acceptor device 
32, whereby a data communication path 34 is established 
between the smart card 30 and the .card acceptor device 
32o 

The smart card 30 includes a microprocessor 36, a RAM 
38, a program PROM 40 which stores the program control- 
ling the operation of the card 30, a secure PROM 42 
containing the n values (i=l, «oo, n). stored in 
respective storage locations 102-1 to 102-n and the 
value N stored in a storage location 104, and an input/ 
output unit 44c Alternatively, since N is a public 
value, it could be stored in the RAM 38. The devices 
36, 38, 40, 42 and 44 within the card are interconnected 
by a communications bus 46c 

The card acceptor device 32 includes a microprocessor 
50, a RAM 52, a program PROM 54 which stores the program 
controlling the operation of the acceptor device 32, a 
keyboard 56, a display 58, a printer 60, a random number 
generator 62, and an input/output unit 64 o The RAM 52 
includes storage locations 112-1 to 112-n storing the n 
public factors Fi, ooo, F n and storage locations 114, 
116 storing the values N and e, respectively- The 
various units located in the card acceptor device 32 are 
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interconnected by a communications bus 66- 

When a card 30 inserted into the card acceptor device 32 
is to be checked for authenticity, the random number 
generator 62 generates an n-bit random number V having n 
bits Vj; (i=l, ooo, n) o In order to ensure that V 
contains at least two bits equal to binary 1, the 
microprocessor 50 is controlled, if necessary, to set 
the least significant bits of V progressively to binary 
1 until at least two binary 1 bits are present in V« 
Thus, if the initial value of V is all zero bits, then 
the two least significant bits are set to binary L The 
value V is stored in the RAM 52, 

The value V is then transmitted from the RAM 52 via the 
input/output unit 64 over the communication path 34 and 
the input/output unit 44 and is stored in the RAM 38 
contained in the card 30. The microprocessor 36 checks 
that V contains at least two binary 1 bits, and if so, 
compute s the value Y where 
Y = | |si (mod N) 



using the values S± stored in the PROM 42 « 

The value Y is then transmitted via the input/output 
unit 44, the transmission path 34 and the input/output 
unit 64 and is stored in the RAM 52« Using the values 
Fi (i=l, -co, n) V, and e, stored in the RAM 52, the 
microprocessor 50 then computes 





(mod N) 



and 



Xact = Ye < mod N) , 
and tests whether 

x ref s x act- 



Equality implies the authenticity of the X act response 
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with probability of 1:N. The authenticity of the card 
30 producing the response has a probability of 1 : 2 n -n - 
By issuing repetitive random challenges in the form of 
random values of V, the probability that the card 30 is 
authentic increases exponentially by l:(2 n -n)J where j 
is the number of challenges issued <, 

It will be appreciated that the card 3 0 needs only to 

compute 

Y =(( Si (mod N) 
VjL «l 

to respond to a challenge*. Since this is at most n-1 
multiplications using modulo N arithmetic, the work 
factor is significantly less than Y = X re f d (mod N) for 
any large value of do In this connection, it will be 
appreciated that since d is in effect the secret key 
associated with the card 30, and given that 

eod = 1 (mod <j> (N) ) 
then d will be in the order of magnitude of 2N/3 for 
convenient values of e« Thus, in the described embodi- 
ment, authentication security comparable to that achiev- , 
able with public key digital signature methods is 
achieved with significantly less computational effort. 
Furthermore, with no secret key used during the authen- 
tication process, it is possible to produce multiple 
cards 30 loaded with the S±, oo„, S n values which may be 
dynamically challenged by a verifying device to achieve 
similar confidence levels to those obtained with public 
key digital signature authentication methods o 

It will be appreciated that the result of the authenti- 
cation procedure can be indicated on the display 58 and/ 
or recorded by the printer 60* 

In a second embodiment of the invention, a data string 
forming a message M is authenticated by appending a 
certificate theretOo Such message M could, for example, 
be a data string representing a legal document, a 
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program file, or other information. Referring to Fig« 
3 f there is shown a message source unit 30A, which 
includes a message buffer 70 adapted to temporarily 
store a message M to be authenticated. The message 
source unit 30A further includes a microprocessor 36A, a 
RAM 38A, a program PROM 40A, a secure PROM 42A and an 
input/output unit 44A connected to a communications path 
34A« The message source unit 30A also includes a com- 
munications bus 46A interconnecting devices 36A, 3SA, 
40A, 42A, 44A and 70 thereino It will be appreciated 
that the devices having the references with suffix A in 
Fig- 3 correspond to similarly referenced devices in the 
smart card 3 0 shown in Fig- 2, and in a practial imple- 
mentation/ the message source unit 30A could be a smart 
cardo Furthermore , the secure PROM 42A stores the 
values Sjl, S^t ooo S n in locations 102A-1 to 102A-n, the 
value of the modulus N in storage location 10 4A and the 
value of e in storage location 106A- Clearly, the 
values of N and e, being public values, could alterna- 
tively be stored in the RAM 38a« 

A message M stored in the message buffer 70 is authenti- 
cated by appending thereto a message authentication code 
(MAC) which is computed in the following manner. 

Using the stored values of N and e f the microprocessor 
36A first computes a change-sensitive transformation H 
of the message Mo In the preferred embodiment, this is 
effected by computings 

H = M e (mod N) 
The value H is then converted to a binary value J, which 
is segmented into sub-fields of length n (with padding 
of an incomplete field with predetermined binary bits if 
necessary) and the individual sub-fields are added 
together modulo 2 (exclusive-or operation) such" that the 
resultant binary string is used as V = v ± (i=l, . ." # , n) 
in the calculation of Y, where 
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Y = I I Si (mod N) , 
as described in the first embodiment* 

This value of Y is then appended as a message authenti- 
cation code (MAC) when the message M is transmitted from 
the message source unit 30A via the input/output unit 
44A to a communication path 34Ao 

An authentication device 32A, Figo 4, which is of 
generally similar construction to the card acceptor 
device 32 shown in Fig 0 2 may be used to authenticate 
the transmitted message Mo The authentication device 
32A includes a message buffer 72, a RAM 52A, a program 
PROM 54A, a keyboard 5 6 A, a display 58A, a printer 60A, 
an input/output unit 64A and an interconnecting commu- 
nications bus 66Ao 

Stored in the RAM 52A, in locations 112A-1 to 112A-n, 
114A and 116A, are the public factor values Fj., o*., F n , 
together with the public key e and modulus N. 

The message M, received over the communications path 34A 
is stored in the message buffer 72, together with the 
MAC , Yo 

Using the received message M, the microprocessor 50A 
computes H and J to obtain V as in the message source 
unit 30A, and then computes 



utilizing the public factors Fj[ stored in the RAM 52A. 

Using the received value Y stored in the message buffer 
70, the microprocessor SOA then computes 
X acfc = Y<* (mod N) * 

Finally, the values of X act and X re f are compared using 
the microprocessor 50A„ Equality of X ac t and X ne f 




(mod N) 
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implies that the message source unit 30A possessed , 
. .., S n , and thus that the message M is authentic, 
within a probability of 1:N. It will be appreciated 
that this embodiment has the advantage that a low cost 
device (message source unit 30A) may readily certify 
data emanating from it with a probability of 1:N. 

It should be understood that in the second embodiment, 
as in the first embodiment, in order to protect the Si 
values from disclosure,' it must be ensured that V 
contains at least two binary 1 bits, by progressives 
setting the least significant bits of V to binary 1 if 
necessary- 

The second embodiment of the invention has the further 
advantage that several message source units 3 OA or the 
data emanating therefrom may be authenticated without 
the unit actually being present at the time of authenti- 
cation. This ability is particularly useful for authen- 
ticating messages which may have been produced some time 
earlier by various message source units 30A, in the form 
of low cost devices such as smart cards. Multiple 
message source units may share the same F^, . F n 
values which would be standardized for the scheme, with 
individual integrity being ensured by various values of 
e and N. 

However, it is preferred to standardize e and Fir . -«r 
P n for all users of an authentication scheme within a 
group of users and for the operator of each message 
source unit to publish a specific value N to be used for 
his message source unit. Should an operator possess 
several such units, rather than specifying a unique 
value of N for each unit, integrity can be assured in a 
manner which will now be described with reference to the 
third embodiment of the invention. 

According to a third embodiment of the invention, a 
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message M may be authenticated as originating from a 
unique message source unit among a set of such message 
source units sharing the same F^, , F n and N and e 
values- This has the advantage that it is infeasible 
for one member of such a set to masquerade as another 
member of the seto For this purpose, the operator of 
the system allocates to each message source unit a 
public factor Fjd which is unique to that source unite 
Furthermore , the operator of the system computes, for 
each such F ID value, a corresponding Sj£> value; 

S ID = F ID d (mod N) ' 
where d is the system secret key, and stores S ID in the 

secure memory of the relevant message source unit. 

Referring to Fig« 5, there is shown a diagram of the 
secure PROM 42B included in the message source unite 
The PROM 42B contains storage locations 102B-1 to 102B-n 

storing the n values S^, , S n , respectively, storage 

locations 104B and 106B storing the values N, e, res- 
pectively, and storage locations 108, 110, storing the 
values FjDr Sid* respectively « 

In the third embodiment, it should be understood that 
the operation is generally similar to that described for 
the second embodiment, except that the calculation of 
the MAC, Y, is made according to the formula 



using the stored S ID and Si values. Correspondingly, 
the calculation of X re f in the message authentication 
unit is made according to the formula 



using the stored F* values, with the Fjo value being 
included in the certified message transmitted from the 
message source unit to the message authentication unit 
for use in the computation of X re f. 

It will be appreciated that in the third embodiment, 




(mod N) , 




(mod N) , 
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with Sjd included in the computation of Y, the 

requirement that V contains at least two binary 1 bits 

is reduced to the requirement that V should be non-zero,. 

The embodiments described hereinabove may be used for 
any application where it is desired to authenticate 
entities or the data emanating from them. An important 
application , however, is to an intelligent financial 
transaction tok^n or smart card used in Electronic Funds 
Transfer at the Point of Service (EFTPOS) <> For several 
reasons of cost and security it is perceived that the so 
called "smart card" provides a highly effective 
technology for EFTPOS «, 

A fundamental reason for using smart card technology is 
to enable a transaction to be completed fully off-line 
from the card issuer 1 s authorization system with a 
minimum of risk to the various parties affected- 

From a risk analysis point of view, the following areas 
must be considered 

(a) Is the card holder legitimate? 

(b) Is the card authentic? 

(c) Is the implied value loaded into or dispensed 
by the card authentic? 



(d) 



Is the transaction claim made by the card 
acceptor authentic? 



Card holder authenticity is generally effected by 
employing a Personal Identification Number (PIN) which 
is verified by or with the smart card prior to sensitive 
operations being initiated* Such PIN may be entered via 
a keyboard such as the keyboard 56 , Fig* 2, or by a 
keyboard (not shown) integral with the card. 

It is commonly perceived that card authenticity needs to 
be established prior to transferring value to prevent 
bogus funds being loaded into or dispensed by the card- 
However, this requirement in essence occurs with many 
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implementations because it is not possible to authenti- 
cate at the point of service the value data exchanged «> 

Therefore, considering the dispersal of value from a 
card, provided that the card could itself produce an 
authentication certificate for the data emanating from 
it such that the certificate could be tested by any 
other entity, then card authentication is unnecessary- 
This has significant consequence for remote card authen- 
tication or home banking applications/ as the need for a 
trusted card authentication device at the point of card 
acceptance is eliminated * This possibility also enables 
any intermediate entity handling the value message 
between the card and the entity guaranteeing the funds 
to test the authenticity of the data -in order to under- 
take settlement actions. In this sense, the potential 
exists for true electronic currency e 

Considering the loading of value, if it can be shown 
that data emanating from a card is authentic, it must be 
assumed that only an authentic card could perform the 
certificate calculation corectlyo Therefore, if only an 
authentic card can correctly dispense funds, then the 
requirement of preventing the loading of bogus value can 
be readily met by designing authentic cards such that 
they will reject an attempted loading of bogus value 
themselves «, 

Since the card contains the ability to generate certifi- 
cates, it could therefore check a certificate as well. 
This could be done in a fourth embodiment of the 
invention by calculating a certificate for value load 
data presented to the card in the same manner as done by 
the card itself and appending that certificate to the 
Sralue load data* The card could replicate that opera- 
tion and compare the result with the presented certifi- 
cate o The presumption is that only the entity guaran- 
teeing dispensed value could correctly load value so 
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that it is assumed that this entity knows the secret 
certificate calculation method. 

However, this technique would require the entity 
generating the load value certificate to have available 
a record of each card's secrets (given the potential 
size of card networks, the possibility that several 
value generators may wish to load value, and the highly 
desirable need to uniquely authenticate each card) this 
requirement could become impractical. 

The primary advantage of the embodiments described here- 
inabove is that any entity may easily test the authenti- 
city of data emanating from .another entity. If it was 
considered' that the source of the value load data was a 
similar entity to the load accepting entity, then any 
other entity including the destination card itself could 
similarly easily test the load data for authenticity 
prior to acceptance. 

Thus, the need to authenticate a card or, conversely, 
the need for the card to authenticate the load device is 
eliminated if the techniques of public message authenti- 
cation as described in the third embodiment are 
employed. 

Thus, the fourth embodiment of the invention provides, a 
means and method for eliminating the need for trusted 
terminal devices, which may have the capability of 
adding information or value to the entities in the set, 
by delivering such information with an authentication 
certificate such that the member entity can authenticate 
that information as emanating from the identified source 
prior to its acceptance. In the fourth embodiment the 
member entity (smart card) possesses both the ability to 
generate its own certificates and also test certificates 
from other entities by employing in the first case the 
techniques of the third embodiment to generate certi- 
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ficates and in the second case the complementary 
techniques of the third embodiment to test certificates* 

In this fourth embodiment, the card may additionally 
contain stored therein the F^, N and e values appro- 
priate for each value load generator which is authorized 
by the card issuer to perform the value load function - 
For convenitr.ee, all generators should employ the same 
public factors Fi and public key e, with individual 
integrity being obtained by the use of different N 
values <, 

Although in the preferred embodiments, the calculations 
within the card 30, and acceptor device 32, message 
source unit 30A and message authentication unit 32A have 
been described as being effected by microprocessors 36, 
50, 36A, 50A, it should be understood that in a modifi- 
cation, each microprocessor may be associated with a 
respective dedicated calculation unit which performs the 
function 

f (P) = P.M (mod N) o 

Such dedicated circuitry may use shift register and 
serial adder/subtractor elements such that a value M is 
multiplied by a value P while simultaneously the value N 
is subtracted, if necessary, to yield within a single 
computation cycle the desired product value PoM (mod N) . 
By this means, the function 
Y =TJsi < m °d N) 

Vi=l 

may be computed with the values being progressively 
presented as indicated b£ the values of the bits Vi of 

Vo 
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The embodiments described above provide a high degree of 
security both for the authentication of entities and for 
the certification of messages. However, it should be 
understood that, depending on system implementation, a 
sophisticated attacker could compromise a system 
employing such authentication and/or certification 
techniques, as will now be explained. Thus, since the 
factors Fi and Si are selected for multiplication 
according to the value of V, it follows that, if the 
system design permitted an appropriately manipulated 
authentication device to generate any desired values of 
V, for example, if the values 

V a = 3 (decimal) « Oil (binary) 

and V5 = 7 (decimal) « 111 (binary) 
could be freely chosen, then corresponding Y values 
Y a = S1.S2 (mod N) 

and Yfc> = S1.S2.S3 (mod N) 
would be produced. 

Since 

S3 = Yb/Y a = (S 1 .S2.S3)/(S 1 .S 2 ) (mod N) , 
S3 is disclosed. Similarly, any desired S^ can be 
ascertained, provided that division operations can be 
effected. Due to the modulus N operation on Y a and Y5, 
simple division will not necessarily yield a correct 
value. However, since N is a composite of large prime 
numbers (usually two) , then most numbers in the range 1 
to N-l will have a modulo N reciprocal, i.e. given Y, 
there is f generally, a value Y" 1 , such that 

Y.Y-1 = 1 (mod N) 
Known mathematical techniques can be utilized to find 
such reciprocal value Y" 1 . 
Hence, S3 = Yfc.Y a -l (mod N) 

can be determined, and, by similar techniques, the 
remaining S^ can also . generally be ascertained. Having 
ascertained the S± values, the sophisticated attacker, 
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using suitable hardware could fraudulently effect 
authentication and certification procedures- 

To avoid such an attack, it should be made infeasible to 
select V values which yield a set of Y values which can 
be manipulated to yield single factors S±~ 

In a fifth embodiment of the invention, this problem is 
alleviated by including an additional public parity 
factor Fp and associated secret factor S p in the system, 
where 

S p = F p d (mod N) , 
and arranging that all Y values are the product of an 
even number of factors, utilizing S p if necessary, thus 
preventing the ascertainment of any single factor- For 
example, with this arrangement, 

for V = 1 (decimal), Y = S^oSp (mod N) 

for V = 2 (decimal), Y = S 2 oS p (mod N) 

for V = 3 (decimal), Y = S]_oS2 (mod N) , etCo 

Thus, in the arrangement described with reference to 
Figo 1, a card issuer selects an additional public 
factor Fp, calculate S p and store S p in the cards to be 
issuedo Similarly, in the message certification system 
described with reference to FigSo 3 and 4, the addi- 
tional secret parity factor S p is stored in the PROM 42A 
and the corresponding public parity factor F p stored in 
the RAM 52Ao Again, with the unique identification 
arrangement described with reference to Fig* 5, the 
secret parity factor S p is stored in the secure PROM 
42B, in addition to the S ID value, and with this 
arrangement, there is the further advantage that V can 
be in the full range of 0 to 2 n -l* This is desirable 
for message certification since it eliminates any need 
to adjust the message hash result. Thus, with this 
arrangement, 
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for V 
for V 
for V 
for V 

Although it could be argued that if the fifth embodiment 
is utilizedr an attacker could selectively extract all 
factor pairs , 

e.g. S1.S2 = V3.Vo~*r 
and use these pairs to produce bogus certificates in a 
message certification scheme, such an attack may be 
infeasible due to the number of pairs needed to be 
obtained and fraudulently used in systems where n has a 
suitably large value . 

Another way to prevent selective extraction of values 
by an attacker is to ensure that any Y value is not 
consistently related to any other Y value. This can be 
achieved by including a variable component in the Y 
calculation which cannot be controlled or predicted by 
an attacker. Such variable component should be chosen 
from a large enough set of possible component values to 
make the reoccurrence of any specific value statis- 
tically improbable. That is, the number of Y values 
needing to be obtained to ensure that the same variable 
component is included in the calculation, should be 
infeasibly large for an attacker. 

Firstly, it will be appreciated that the Y values are in 
fact a base set of 2 n values pseudo-randomly distributed 
within the set bounded by 1 and N-l. Secondly, it will 
be appreciated that the numerical separation of these Y 
values is in fact precisely determined. Application of 
an offset value which was applied to all Y values in the 
base set would in effect produce another set of 



0 (decimal) , Y 

1 (decimal) , Y 

2 (decimal) , Y 

3 (decimal) , Y 



= SjD.Sp (mod N) 
= S ID ,.Si (mod N) 
= S1D.S2 (mod N) 
= S ID .Si.S2-S p (mod N) , etc. 
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precisely separated Y values within the set 1, N-L 
Thus, provided that the number of Y sets which could be 
produced by offset was large enough to be statistically 
unique, then mathematical extraction of the factors 
making up a certain Y value would be infeasible, unless 
the set offset value was known, since the number of 
valid Y values within the set 1, N-l would be increased 
from 2 n to 2 n times the number of Y setSo 

In the extreme case? consider that the number of Y sets 
was N-l then the number of valid Y values would be 
2 n o(N-l)o This would raise the probability that an 
entity producing a Y value was authentic, or that a 
message from the entity was authentic , from 
2 n to 2 n o(N-l)o For typical N values 2 512 < N < 2 513 
then the order of probability of authenticity would be 
2n<,2 512 « This is not true in practice since the total 
of Y values available is N-l, limiting the probability 
to Is (N-l) o Clearly since this order of probability far 
exceeds any reasonable requirement, the number of Y sets 
could be substantially reduced o If s equals the numbet 
of binary bits available to denote the set number then 
the number of sets would be 2 s giving an authenticity 
probability of 2 n o2 s or 2 n+s * Note that in principle n 
and s could be varied in size to obtain the order of 
probable authenticity protection desired in the system. 
However, since the 2 n component may be selectable via V 
by an attacker the 2 s component should be large enough 
to make such an attack infeasible «> Also, note that n 
determines the range of V and should be large enough to 
preclude undetected manipulation of message contents 
when V results from a hash function of a message* 

In such a system it is necessary to communicate to the 
authenticator the Y set employed for a particular Y 
calculation by the certifying entity. If this was 
directly disclosed as an offset value, then the 
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aforementioned attacks could still be executed since 
reversing the offset process would yield the original 
base set of Y values and thus by extraction, the base 
set of Si values . Consequently , the offset value or set 
identifier should be provided in a manner usable by the 
authenticator for Y testing but not for Y factoring* 

For example/ it is possible to include in the authen- 
tication protocol a value F se t which is passed to the 
authenticator for each Y calculation. F se t is produced 
by the certifier selecting a set number S se t and comput- 
ing 

Fset = s set e < mod N) 
Note that S se t cannot be determined from F se t without 
knowledge of d. Thus, for entity authentication, the 
entity? 

(i) Selects an S se t 

(ii) Computes F S et = s set e tmod N> 

(iii) Communicates F set to the authentication device, 
which 

(iv) Selects a V value and communicates this value to 
the entity, which computes 

(v) Y = S se f [ \ Si (mod N) which it communicates to 

Vi=l 

the authentication device, which tests Y by 

(vi) X re f = F set - TT *i {inod N) 

Vi=l 

= X act = Y e (mod N) . 

Note that, since F se t is a pseudo-random distribution 
within the set 1, N-l from which it is not feasible to 
determine S se t# then it is not necessary to choose S se t 
randomly. The protection from analytical attacks can be 
obtained merely by ensuring that S se t does not predic- 
tably repeat within an attack session. One such method 
to achieve this is to run an incremental count of Y 
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calculations and to use this count value to update S se t« 
This method has the further advantage of providing to 
the entity originator a method of cryptographically 
checking for lost or duplicated messages delivered to 
him from the source entity* 

Thus, in a sixth embodiment of the invention, for 
message certification, 

(mod N) 

Vi=l 

where S set « a function of the counter value 
S ID = F ID d (mod N) 
s i = F i d (mod N) 

S p » F p d (mod N) optionally included if V has 

even parity, 

and the certificate Y is calculated across a message 
including F ID , F set therein, where F se t = S set e (mod N) . 

To generate the S se t counter values a hardware counter, 
could be provided in a smart card or entity to be 
authenticated, such as the card 30, Fig e 2, or in a 
message source unit such as the message source unit 30A, 
Fig e 3o Alternatively, the microprocessor 36 or 36A 
therein could be programed to provide a counting opera- 
tion using storage locations in the RAM memories 38 or 
38Ac An analogous arrangement could be utilized when a 
unique identifier factor S ID and associated Fj D are 
employed as described hereinabove with reference to the 
third embodiment of the invention o 

In the just mentioned system the protocol is enlarged by 
the inclusion of F set o This is unimportant for inter- 
active entity authentication by locally communicating 
devices but may be an unacceptable overhead for message 
certification o 
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A further method of pseudo-randomly varying the base set 
of Y values which does not add significantly to the 
protocol is to utilize precalculated offset values the 
selection of which is advised to the authentication 
device o 

In a seventh embodiment of the invention , V, which is 
made up of n bits, is split into two parts, V s and V a/ 
where V s is chosen by the certifier, and V a as before is 
chosen in the authentication device Cor determined by 
the message content) „ The number of bits in each of V s 
and V a is predetermined „ For example, where n=32, each 
of V s and V a could have 16 bitSo The bits of V s are 
used to select the S se t offset value with the bits of V a 
being used to select the S a values. Note also that the 
s set offset values can be combined to yield 2 ns offset 
values, where ns is the number of base offset values 
available <, 

Thus, in the seventh embodiment. 



X act = Y e (mod N) , as before . 
The values S s i = F s i d (mod N) are stored by the certif- 
ier (smart card or message source unit) and used in a 
similar manner to the S a ^ values, but selected by the 
certifier pseudo-randomly <, 

The values F S £ are made publicly available in the same 
manner as the F a i values. 




(mod N) } 




si 



ai 



(mod N) ; and 



In this embodiment, V s rather than F se t would be 
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included (and hashed for V a ) in the certified message • 

Thus, for message certification where the unique 
identifier factors 

Sid and F ID are utilized, 

M = V s , Fid, Message o 

As in the second embodiment, a change-sensitive 
transformation H of the aggregate message M is formed, 
and the value of V a derived therefrom<> The following 
calculations are then effected: 

Y = Si D o TT S s io T~T S a i (mod N) ; and 
Vsi-1 V ai »l 

Xref = FidoTX F s° 1 r F ai (mod N) . 
v S i=l V ai -1 
It can be seen from the above that the authenticity of a 
particular Y value is as before IsNo The authenticity 
of the entity producing the Y value (entity forgery) is 
determined by the number of bits in V s and V a and is 
therefore ls2 ns+na o 
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CLAIMS 

1« A method of manufacturing an entity (30, 
30A) r including the steps of s 

(a) selecting a modulus N which is a product of at least 
two prime numbers; 

(b) selecting an integer e which is relatively prime to 
cp(N) , where <jp(N) is Euler 8 s totient function of N; 
and 

(c) determining an integer d such that e«d = 1 (mod 
<^(N) ) r characterized by the steps of: 

(d) selecting a set of n public factors 
Fi, -co , F n (0<Fi<N); 

(e) calculating Si = Fi d (mod N) for i=l, , n; and 

(f) storing the n values (i=l, „••, n) and the 
value N in said entity*, 

2c A method according to claim l f character- 
ized in that said n values S£ are stored in a program- 
mable read-only memory (PROM) (42, 42A, 42B) included in 
said entity (30 r 30A) . 

3. A method according to claim 2, character- 
ized in that said entity (30, 30A) includes processing 
means (36 , 36A) and input/output means (44, 44A) o 

4o A method according to claim 1, character- 
ized by the steps ofs 

(g) assigning a public factor F ID unique to said entity; 

(h) computing 

S ID - F ID d (mod N) ; and 

(i) storing the value S ID in said entity. 

5o A method of authenticating an entity (30, 
30A) according to any one of claims 1 to 4, character- 
ized by the steps ofs 

(j) placing said entity (30, 30A) in communication with 
an authentication device (32) 32A); 
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(k) generating in said authentication device (32, 32A) 
an n-bit binary string V = (i=l, n) 

(1) transmitting said binary string V to said entity 
(30, 30A) ; 

(m) calculating, in said entity (30, 30A) 

Y = ( | Si (mod N) ; 

Vi =l 

(n) transmitting Y to said authentication device (32, 
32A) ? 

(o) calculating, in said authentication device (32, 
32A) 

Ft (mod N) ? and 

Vi = l 

Xact = ye (mod N) <° and 
(p) comparing X re f and X ac t« 

6o A method according to claim 5, character- 
ized in that said authentication device (32, 32A) 
includes storage means (52, 52A) adapted to store said 
public factors Fi, «oo, F n , and the values of N and e« 

7<, A method according to claim 6, character- 
ized by the step of repeating said steps (k) to (p) a 
plurality of times, using random values of V. 

8- A method of certifying a message M 
generated by or presented to an entity (30, 30A) 
manufactured according to any one of claims 1 to 4 
characterized by the steps oft 

(q) computing a change-sensitve transformation H of said 

message M; 
(r) generating an n-bit binary string 

Y = vi (i«l r , n) , using the computed value 

of H; 

(s) computing 

Y = "f"f Si (mod N) ; and 

Vi=l 

(t) appending Y as a message authentication code (MAC) 
certificate to said message M- 
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9o A method according to claim 8, character- 
ized in that said step of (q) computing said change- 
sensitive transformation H is effected by computing 
H = M e (mod N) <> 

10. A method according to claim 8 or 9, char- 
acterized in that said step of (r) generating an n-bit 
binary string V is effected by the steps of s 
(u) converting H to a binary value J? 
(v) segmenting J into sub-fields of length n? and 
(w) adding together the individual sub-fields modulo 2 
to form said n-bit binary string V* 

11. A method according to any one of claims 5 

to 10, characterized in that, in said step (m) and said 

step (s) the value of Y is calculated according to the 

formula — r— 

Y = S set o ' I Si (mod N) , 
Vi=l 

where S se t is selected in said entity (30,30A); 
by the steps of 

(x) computing in said entity (30,30A) F se t = S se t e 
(mod N) , and 

(y) transmitting F se t to said authentication device 
(32,32A)? 

and in that in said step (o) 9 the value of X re f is 
calculated according to the formula 

x ref = F set° I I Fi (mod N) . 
V i= l 

12o A method according to claim 11, 
characterized in that S se t is selected in accordance 
with a count value which is incremented for each Y 
caluculation* 

13 o a method according to claim 12 t 
characterized in that S set is determined by computing/ 
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in said entity (30,30A), a product including a selection 
of a set S s i of said factors S^, said selection being in 
accordance with a binary string V s = v s i generated in 
said entity (30,3GA) , whereby the value of Y is 
calculated according to the formulae 

Y = TT S s io ~j f s ai (mod N) ' 
v s i=l v ai =l 
wherein the v a i values corresponding to the bits of said 
n-bit binary string generated in said authentication 
device (32,32A); 
by the step ofs 

(z) transmitting V s to said authentication device 
(31,32A), and in that the value of X re f is calculated in 
said authentication device (32,32A) according to the 
formula 



x ref = TT F si o ( I F ai (mod N) • 
Vsi-l v ai =1 

14 o A method according to any one of claims 5 
to 13, characterized in that, in said step (m) and said 
step (s) , the value of Y is calculated utilizing 
selectively an additional predetermined factor S p , such 
that the total number of factors included in the 
calculation of Y is even, and in that, in said step (o) , 
the value of X re f is correspondingly calculated, 
utilizing selectively an additional factor F p , where 
S p = P p <3. 

15 o An entity (30,30A), including processing 
means (36,36A), input/output means (44,44A) and memory 
means (42,42A,42B> , characterized in that said memory 
means (42,42A,42B) has stored therein a modulus N which 
is the product of at least two prime numbers and a set 
of n factors (i=lr <,<>., n) where 

Si = Fi d (mod N) , 
where d is the secret key counterpart of a public key e, 
associated with the modulus N, and (i=l, <, * <> , n) are 
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n public factors, 0<Fi<N, and in that said processing 
means (36 ,36A) is adapted to compute 

Y = XT s i (mod N) 

V ± =l 

where V » Vi is an n-bit binary string <, 

16 o An entity according to claim 15 , 
characterized in that said memory means (42A,42B) is 
further adapted to store the value of said public key e 
and in that said processing means is further adapted to 
compute 

H = M e (mod N) 
where M is a message to be transmitted by said entity 
(30,30A), to convert H to a binary n-bit vector V, and 
to compute 

Y = 11 Si (mod N) o 

v ± -l 

using the bits v^ of the computed vector V, and in that 
said input/output means (44,44A) is adapted to transmit 
Y as a message authentication code (MAC) associated with 
said message o 

17 - An entity according to claim 15 or 16, 
characterized in that said memory means (42B) has stored 
therein a public factor F£D unique to said entity, and a 
value Sjd? where 

S ID = F ID d (mod N) . 

18 o An entity according to any one of claims 
15 to 17, characterized in that the value of Y includes 
an additional factor S se t which is dependent on a count 
value which is incremented for each Y calculation* 

19 o An entity according to any one of claims 
15 to 18, characterized in that said memory means 
(42,42A,42B) has stored therein an additional parity 
factor Sp, and in that said processing means (36,36A) is 
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adapted to compute the value of Y by selectively 
including said additional parity factor S p in the 
expression for Y , such that the total members of factors 
included in the calculation of Y is even* 

20 o An authentication device (32 , 32A) for use 
with an entity (30, 30A) according to any one of claims 
15 to 19, including further processing means (50, 50A) , 
further input/output means (64, 64A) and further memory 
means (52, 52A) , characterized in that said further 
memory means (52, 52A) has stored therein said n public 
factors Fi (i=l, «, o « , n) , said modulus N, and said 
public key e, and wherein said further processing means 
(50, 50A) is adapted to compute 

x ref = 1 T F i < mod N) ? and 
Vi=l 

Xact = * e <™°d M) 
using the stored values of Fj[, N and e, and to compare 

X re f with X ac t« 

21 o An authentication device according to 
claim 20 for use with an entity according to claim 17, 
characterized in that said further processing means is 
further adapted to compute 

Xref = F ID -TT^i ^ od N) 

V£=l 

22 o An entity according to any one of claims 
15 to 19, characterized in that said entity incorporates 
an authentication device according to claim 20 or claim 
21. 
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(57) Abstract 

The invention concerns processes for generating digital signatures for electronic messages. The invention proposes modifying 
signature-generating algorithms, such as DSAs ("Digital Signature Algorithms), in order to enable smart cards with reduced calculation and 
storage resources to produce digital signatures with a high degree of security in spite of their reduced resources. The signature-checking 
terminal sends a random number a and measures the time taken by the card to send back a signal s using this random number. If the time is 
greater than a given duration, the signature is rejected even if the check of its authenticity is positive. In addition, part of the signature (the 
part which does not use the secret card key but only the public algorithm parameters) is precalculated and stored in the card in the form of 
signature portions produced by a compression function such that they are short. Only the second part of the signature has to be calculated 
by the card. According to the invention, the calculations to be made are simple so that the card does not require extensive calculation and 
memory resources. 



(57) Abregl 



L/invention conceme Ics procddes de gyration de signature numerique de messages dlectroniques. L/invention propose de modifier 
les algorithmes de generation de signature te!s que DSA ("Digital Signature Algorithm") pour permettre a des cartes a puces a faibles 
ressources de calcul et de mtfmoire de produire des signatures numenques avec un haut degrt de security malgrt leurs faibles ressources 
On prevoit que le terminal de verification de signature envoie un nombre aleatoire a et chronometre le temps mis par la carte pour renvoyer 
une signature s utilisant ce nombre aleatoire. Si le temps est supeneur a une duree d&erminee, la signature est rejetec meme si la verification 
de son authenticity est positive. D'autre part, on prevoit qiTune panic de la signature (partie qui n'utilise pas la cle" secrete de la cane 
mais seulement des parametres publics de Talgorithme) est precalculee et stockee dans la carte sous forme de coupons de signature obtenus 
par une fonction de compression de sorte qu'ils ont une faible longueur. Seule la deuxieme panie de signature est a calculer par la carte, 
et on s'arrange pour que les calculs a effecturer soient simples pour que la carte n'ait pas besoin de ressources de calcul et de memoire 
importantes. 
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PROCEDE DE GENERATION DE SIGNATURES 
ELECTRON! QUES, NOTAMMENT POUR CARTES A PUCES 

L' invention concerne un proc6d6 de generation de 
signatures nuro£riques de messages electroniques. 

Le proc6d6 s' applique particuli&rement a la 
signature de messages par des appareils portables du type 
5 carte & puce & microprocesseur . 

Par exemple, il s'agit de signer des messages 
envoy£s* par la carte a un terminal de lecture ou a une 
autoritS centrale; ou encore, il s'agit de faire une 
transaction (cheque felectronique) et de signer cette 
10 transaction pour qu'elle puisse etre authentifiee d'abord 
par le terminal de lecture dans lequel est faite la 
transaction, ensuite par une autoritfe centrale qui gere 
les transactions. 

Le proc§d# qui va §tre decrit est apparent6 aux 
15 algorithmes de generation de signatures numSriques ,qui 
ont fetfe publics ces derniferes annfies, notamment par le US 
National Institute of Standards and Technology, tel que 
l'algorithme PSA (Digital Signature Algorithm) dfecrit 
dans la demande de brevet US 07/738431 et annonce le 30 
20 AoQt 1991 au Registre F6d6ral tenu par cet Institut, 
pages 42980-42982, 

L' invention a pour but de modifier les procedes 
connus, notamment pour les rendre adaptables a des cartes 
a microprocesseur qui n'ont pas des ressources 
25 materielles (processeur, mfimoires) suffisantes pour 
realiser rapidement des operations math§matiques sur des 
grands nombres • Les algorithmes connus , notamment 
l'algorithme DSA, utilisent des grands nombres pour 
genferer les signatures avec un degre de sfecurite 
30 suf f isant. 
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Pour raieux faire comprendre 1 ' invention, on va 
d'abord rappeler ce qu'est l'algorithme DSA. 

Une signature DSA est constitute par une paire 
{r, s} de grands nombres repr£sentes dans les 

5 calculateurs par des chaines longues de chiffres binaires 
(160 chiffres) . La signature numerique est calcul€e a 
l'aide d'une serie de regies de calcul, definies par 
l'algorithme, et d'un ensemble de paramdtres utilises 
dans ces calculs. La signature permet a la fois de 

10 certifier 1'identite du signataire (parcequ'elle fait 
intervenir une cle secrete propre au signataire) et 
l'intfegrite du message signe (parcequ' elle fait 
intervenir le message lui-meme) . L'algorithme permet 
d'une part de generer des signatures, et d' autre part de 

15 verifier des signatures. 

La generation de signature DSA fait intervenir 
une cle secrete. La verification fait intervenir une cle 
publique qui correspond a la cle secrete mais ne lui est 
pas identique. chaque utilisateur possede une paire de 

20 clfes (secrete, publique) . Les cles publiques peuvent etre 
connues de tous, alors que les cles secrfetes ne sont 
jamais dfevoilfees. Toute personne a la capacite de 
verifier la signature d'un utilisateur en utilisant la 
cle publique de celui-ci, mais seul le possesseur de la 

25 cle secrete peut generer une signature correspondant a la 
paire de cles. 

Les parametres de 1'algorithme DSA sont les 

suivants : 

- un nombre premier p tel que 2 L " X < p < 2 
30 pour L compris entre 512 et 1024 (bornes comprises) , et 

L = 64a pour un a entier quelconque; 

- un nombre premier q tel que 2 159 < q < 2 
et p-1 est un multiple de q; 

- un nombre g, d'ordre q modulo p, tel que : 
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g = h(P-l)/<3 modulo p, oil h est un entier 
quelconque verif iant 

1 < h < p-1 et g > 1; 
♦ - un nombre x g£n6r6 al^atoirement ou pseudo- 
5 alfeatoirement (c'est la cle secr&te, fig6e pour un 
utilisateur donn6) ; 

- un nombre y dSfini par la relation 

y = g x modulo p; (c'est la cl6 publique li6e a 
la clfe secrfete) ; les operations modulaires d£f inies ci- 
10 apr&s, modulo p ou modulo q seront d£sign6s par mod p ou 
mod q respect ivement; 

- un nombre k g6n€re aleatoirement ou pseudo- 
al§atoirement, tel que 0 < k < q. 

Les entiers p, q, et g sont des parametres du 
15 systSme pouvant etre publies et/ou partages par un groupe 
d'utilisateurs. Les clfes, secrete et publique, d'un 
signataire sont respect ivement x et y. Le parametre k, 
al6atoire, doit §tre regenere pour chaque nouvelle 
signature* Les parametres x et k sont utilises pour la 
20 gfenferation de signatures et doivent etre gardes secrets. 

Afin de signer un message m (qui sera en ginferal 
une valeur hach6e d'un fichier initial M) , le signataire 
calcule la signature {r, s} par : 
r «= (g* mod p) mod q, et 
25 s = (m + xr) /k mod q 

(oQ la division par k s'entend modulo q, c'est- 
a-dire que 1/k est le nombre k' tel que kk' « 1 mod q; 
par exemple si q=5 et k = 3, alors 1/k = 2 car 3x2 « 6, 
soit 1 mod 5) . 

30 Apres avoir teste que r et s sont differents de 

zero, la signature {r, s} est envoyfee au verif ieur. Le 
vSrifieur est en general le terminal dans lequel est 
ins6r6e la carte a puce qui envoie le message m et la 
signature {r, s}. 
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Le v6rifieur, qui connait p, q, g (li6s a 
1' application) , y (lie a 1'utilisateur) , et m (le message 
qu'il a regu de la carte), calcule : 

a. w = (1/s) mod q 
5 b. ul = row mod q 

c. u2 = rw mod q 

d * v = [g ul .y u2 mod p] mod q 

Or cette valeur [g ul -Y u2 mod p] mod q est 
justement egale a r si s a la valeur (m + xr)/s mod q. 

10 Par consequent, le terminal regoit r et s et 

v6rifie que v est bien egal a r pour accepter la 
signature, ou la rejeter dans le cas contraire. 

Dans ce qui suit, on utilisera indif f eremment 
les termes de signataire ou organe signataire, ou 

15 dispositif prouveur, ou de carte a puce, pour designer le 
dispositif qui emet la signature et qui sera en general 
une carte a puce. Et on utilisera indif f eremment le terme 
de verifieur, ou organe verifieur ou dispositif 
verifieur, ou terminal verifieur, bu encore autorite de 

20 contr61e, pour designer le dispositif qui regoit la 
signature et la verifie pour accepter ou rejeter une 
transaction ou un message. L' application la plus simple 
de 1' invention est 1' emission d'une signature par une 
carte a puce vers un terminal de lecture dans lequel la 

25 carte est ins€r£e, le terminal executant la fonction de 
verification et etant relie ou non a une autorite 
centrale de gestion. 

Un des buts de la presente invention est 
d'augmenter la securite de generation et verification de 

30 signatures electroniques numeriques, en minimisant les 
moyens de calcul et de memoire qui doivent etre presents 
dans la carte a puce pour produire les signatures. 

II serait en particulier souhaitable de pouvoir 
utiliser dans la carte des microprocesseurs peu chers h 8 

35 bits, malgre le fait qu'ils ne peuvent pas facilement 



WO 96/33567 



PCT/FR96/00612 



5 



traiter des grands nombres, plut6t que des 
microprocesseurs plus puissants et plus couteux. Mais 
cela ne doit pas se faire au detriment de la securite. 

Selon un premier aspect important, 1' invention 
5 propose que la verification par un verifieur (terminal) 
de la signature envoyee par le signataire (carte) utilise 
une etape de chronometrage de la duree s'ecoulant entre 
un instant oil une donnee (en principe aleatoire) est 
envoyee par le verifieur au signataire (carte) et 
10 1' instant ou la signature (utilisant cette donnee 
aleatoire) revient au verifieur. Si le temps ecoule est 
trop long, c'est que le traitement de calcul de signature 
par le signataire s'effectue de maniere anormale et la 
signature est rejetee mime si son authenticity est 
15 confirmee par le verifieur. 

Indirectement, cette solution permet, comme on 
le verra, de conserver la meroe securite de signature tout 
en utilisant des ressources materielles faibles 
(puissance de calcul et memoires) dans la carte a puce. 
20 Des ressources faibles entrainent la necessite de 
modifier les procedes de generation et verification de 
signatures, mais c'est au detriment de la securite. 
L'etape de chronometrage selon 1' invention restaure un 
niveau de securite suffisant. 
25 On decrira en detail cette solution a partir 

d'algorithmes derives de l'algorithme DSA rappele ci- 
dessus, mais on comprendra que ce premier aspect de 
1' invention est applicable avec d'autres algorithmes meme 
s'ils sont tres differents de l'algorithme DSA. 
30 En resume, le premier aspect de 1' invention 

consiste dans un procede de signature electronique, 
comportant la generation d'une signature numerique par un 
organe signataire qui calcule cette signature en 
utilisant une donnee aleatoire envoyee par un organe 
35 verifieur, et la verification de la signature par le 
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vferifieur qui vfirifie si une condition mathematique 
faisant intervenir la signature envoyee et la donnee 
al&atoire est remplie, ce procede etant caracteris^ en ce 
que la verification de la signature envoyee par le 
5 signataire au vferifieur utilise en outre une £tape de 
chronom&trage de la duree s'ecoulant entre un instant oH 
la donnee al&atoire est envoyee par le vferifieur au 
signataire et 1' instant oCl la signature utilisant cette 
donn&e revient au verifieur apr&s calcul par le 

10 signataire, la signature etant acceptee si le temps 
ecoule est inferieur a une seuil determine et si la 
condition mathematique est verifiee. 

De preference, l'algorithme utilise est du type 
dans lequel la generation de signature produit deux 

15 valeurs {r, s}, s etant calculee a partir de r et d'une 
cle secrete x, et dans lequel la verification de la 
signature {r, s} consiste dans la verification d'une 
egalite v = f (r, s) = r entre r et une fonction f de r et 
de s. On prevoit alors selon 1' invention que la fonction 

20 f est choisie suffisamment complexe pour que la duree de 
recherche d'une valeur s a partir de cette egalite en 
1' absence de connaissance de la cle secrete soit tres 
superieure, meme si elle est faite par un calculateur 
puissant, a la duree de calcul et transmission par la 

25 carte de la valeur s a partir de r et de la cle secrete, 
et ceci meme si la carte utilise un microprocesseur peu 
puissant (microprocesseur de 8 bits a 20 MHz par 
exemple) . Ainsi, en choisissant correctement la condition 
de temps introduite par le chronometrage, on fait en 

30 sorte que cette condition ne puisse pas etre remplie en 
1' absence de connaissance de la cle secrete et notamraent 
ne puisse pas etre remplie par une recherche de s a 
partir de l'egalitfi r = f(r, s) . 
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En pratique, la fonction f(r, s) fait intervenir 
aussi un message m & signer , de sorte gu ' on peut la 
noter f (r, s, m) . 

De preference, la fonction f comporte des 

5 calculs mathematiques suivis d'une fonction de hachage 
complexe. La premiere partie de signature r est etablie 
par d'autres calculs mathematiques, suivis de la meme 
fonction de hachage complexe* 

Cette fonction de hachage complexe est de 

10 preference, comme on l'expliquera plus loin, une fonction 
de compression complexe aboutissant a une reduction de la 
longueur des chalnes de bits obtenues par les calculs 
mathematiques ef f ectu§s. 

On rappelle qu'une fonction de hachage est une 

15 fonction de traitement logique de chalnes binaires, qui 
permet d'obtenir une chalne de caractdres de longueur 
determinfee a partir d'une autre chalne de caracteres de 
meme longueur ou de longueur differente. Une fonction de 
hachage complexe peut etre obtenue par des hachages 

20 successifs et/ou des calculs mathematiques impliquant ' les 
r6sultats de plusieurs hachages. Une compression peut 
fetre obtenue a la fin en prenant comme resultat une 
valeur modulaire, modulo 2 e , oQ e est la longueur de la 
chalne finalement d€sir£e. 

25 Par ailleurs, selon un autre aspect important de 

1' invention, on propose une nouvelle solution pour 
traiter des plus petits nombres dans la carte & puce, 
dans des algorithmes de signature numerique du genre dans 
lequel la signature fait intervenir deux nombres, r et s, 

30 seul le nombre s faisant intervenir la cle secrete de la 
carte et le message a envoyer. 

Ce deuxifeme aspect de 1' invention est un 
perf ectionnement h un proced6 de generation de signatures 
qui a ete deer it dans la demande de brevet fran<?ais 9 3 

35 144 66. Dans cette demande de brevet, il est explique que 
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dans un algorithme de ce genre (DSA en est un exemple) , 
le nombre r ne depend ni du message m envoy£ par la 
carte, ni de la cle secrSte contenue dans la carte. II ne 
d&pend que de nombres flges pour 1' application 
5 consid€r6e, et de nombres aleatoires; par exemple, ces 
nombres sont g, p, q et k dans l'algorithme DSA* II est 
done inutile de faire calculer r par la carte, car cela 
consomme un temps de calcul important. On fait plut6t 
calculer a l'avance par une autoriti centrale certifiee 
10 une sferie de n valeurs r possibles, notees ri, i etant un 
indice allant de 1 a n. On stocke les valeurs ri dans la 
carte. A chaque nouvelle utilisation de la carte, on 
utilise une des valeurs ri (et on n'utilisera plus cette 
valeur les fois suivantes) . Au moment de signer, la carte 
15 calcule seulement 1' autre partie de signature s, a partir 
d'une valeur ri, de la cle secrete x, du message m, et 
on envoie au verifieur le message m et le couple { ri, s} 
repr6sentant la signature que le verifieur peut alors 
verifier de la maniere prevue par l'algorithme considere. 
20 Les nombres ri sont des certificats 

pr&calcul&s, appeles encore des "coupons de signature", 
lis constituent une partie seulement de la signature a 
envoyer, et ils peuvent etre prepares et stockes a 
l'avance dans la carte. L' indice i represente 1' indice de 
25 coupon utilise lors d'une signature donnee. 

Mais une des difficultes reside dans la grande 
longueur de ces coupons (160 bits dans l'algorithme DSA 
presents ci-dessus) . Ils consomment une place importante 
de roSmoire non volatile dans la carte; on ne peut pas en 
30 sauvegarder un grand nombre dans la carte si on dispose 
d'une taille limitee de memoire non volatile; et en plus, 
ils entralnent un plus long temps de calcul avec un 
microprocesseur 8 bits puisqu'il faut aller chercher ces 
nombres par petits morceaux. Mais si on utilisait et 
35 stockait des plus petits coupons de signature, la 



WO 96/33567 



PCT/FR96/00612 



9 



garantie d' authenticity de signature risquerait d'etre 
bien plus faible, 

L' invention decrite ici permet de concilier le 
souci d'une garantie d' authenticity avec 1' utilisation de 

5 plus petits coupons de signature ri. 

L' invention propose done un proc6de de 
generation de signature electronique par un organe 
signataire et de verification par un organe v6rifieur, 
utilisant un algorithme de signature numerique dans 

10 lequel la signature envoyee par le signataire comprend au 
mo ins un coupon de signature ri et un complement de 
signature s qui est calcule a partir du coupon ri et 
d'une cl6 secrete x de la carte, cet algorithme 
pennettant la verification de signature par un vferifieur 

15 a l'aide d'une formule de verification du type 
v = f (ri # s) = ri, 

ce procfede etant caracterise en ce que 

a. le coupon de signature est etabli a 
l'avance par une autorite certifiee, en deux etapes : 

20 - calcul d'un nombre represents par une 

chalne binaire longue, a l'aide d'une formule 
mathfematique faisant intervenir des grands nombres 
binaires; 

- et modification du resultat de ce calcul 
25 par une fonction de compression complexe reduisant 
fortement la longueur de ce rfesultat, 

b. une serie de coupons differents de faible 
longueur sont ainsi prepares a l'avance et stockes dans 
1' organe signataire (carte a puce a memoire et 

30 microprocesseur) , 

c- la generation de signature comporte 

1' envoi d'un coupon ri et d'un complement de signature s 
calcuie a partir d'au moins ri et x, 

d. 1' algorithme de verification de signature 

35 comporte un calcul mathematique suivi de la meroe fonction 
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de compression complexe que celle qui a servi a 
1' Elaboration du coupon, et le resultat est compare au 
coupon pour la verification de signature. 

La fonction de compression est de preference une 
fonction de hachage complexe qui necessite un temps de 
calcul assez long. Ceci donne une s6curit6 importante au 
proc6d6 de gfenferation et de verification de signature. On 
combine done l'avantage d'une bonne garantie 
d' authenticity de signature avec la possibility de ne 
sauvegarde dans la carte que des coupons de petite 
taille f done la possibility d'en sauvegarde beaucoup. Si 
de surcrolt on utilise le chronometrage mentionne plus 
haut, on con<?oit qu'on peut r enforcer a un tres haut 
degr6 la garantie d 'authenticity. 

Le calcul de la signature s fait bien sQr 
intervenir le message m qu'on veut signer, pour garantir 
non seulement 1 'authenticity de la signature mais aussi 
1' integrity du message transmis. 

On peut encore ameliorer la security par une ou 
20 plusieurs des caracteristiques suivantes : 

La formule de calcul du coupon ri est de 
pr y f yrence e tabl ie k part ir d ' un a lea J engendry au 
depart par la carte et stocke dans la carte pour etre 
ryutilisy lorsque le coupon sera utilise pour 
25 1'etablissement d'une signature. 

On peut pryvoir que pour declencher la 
generation d'une signature, le terminal verifieur envoie 
un aiya a £ la carte et declenche alors le chronometre; 
on prevoit aussi que 1'etablissement du complement, de 
signature utilise necessairement cet alea a et que la 
vyrification de signature necessite egalement cet alea a. 

Le compiyment de signature s est de preference 
etabli par un calcul faisant intervenir une fonction de 
hachage SHA(m, a) du message et de cet alea a, la meme 



30 
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fonction de hachage etant utilisee pour la verification 
de signature. 

Le complement de signature s est de preference 
etabli par un calcul faisant intervenir un alea J stocke 

5 dans la carte et ayant servi a etablir le coupon de 
signature. De preference encore, ce calcul de s fait 
intervenir une fonction de hachage SHA(x, J, i) portant 
sur cet aiea J et sur un indice i representant le num6ro 
du coupon utilise, cette m§me fonction de hachage ayant 

10 ete pr6c6demment utilisee au cours du calcul de chalne 
binaire longue prevu dans le calcul du coupon 
correspondant. Cette fonction de hachage fait de 
preference aussi intervenir la cie secrete x de la carte. 

Le complement de signature s est de preference 

15 etabli par un calcul faisant intervenir une fonction de 
hachage du coupon SHA(ri) , la meme fonction de hachage 
SHA(ri) etant utilisee pour la verification de signature. 

Ainsi, selon un aspect particulier de 
1' invention, on propose un procede de generation de 

20 signatures numeriques de messages par un dispositif 
signataire et de verification de ces signatures par un 
dispositif verifieur, le dispositif signataire comportant 
des moyens de calcul, de communication et de retention de 
donnees comprenant au moins une memoire non volatile 

25 programmable 61ectriquement , selon lequel on prepare des 
donnees chiffrees constituant des coupons de signature ri 
que 1'on charge dans la memoire non-volatile et que le 
dispositif signataire utilise pour signer des messages, 
principalement caracterise en ce que : 

30 - les coupons sont compresses par application 

d'une fonction de compression, dite encore fonction de 
hachage, par une autorite certifiee avant d'etre charges 
dans la memoire, et en ce qu'il comporte les echanges 
suivants : 
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- un message m est transmis et ce message doit 
etre cert if i6 par une signature; 

- le signataire envoie un coupon ri au 
vferif ieur, 

5 - le v6rifieur envoie un nombre aleatoire a au 

signataire et d£clenche un chronomfetre, 

- le signataire calcule la signature s du 
message et 1' envoie au verif ieur, 

- le verifieur arrete le chronometre et verif ie 
10 que la signature a 6t6 obtenue par le secret d§tenu dans 

la carte et le coupon ri regu; cette verification est 
faite en verif iant 1'egalite suivante : 
v » f (ri, s, m) « ri 

- le verifieur accepte la signature si la 
15 condition de verification v = ri est remplie et si le 

temps chronomStre ne depasse pas une duree predetermine 
impart ie* 

Pour simplifier, dans toute la suite on parlera 
surtout de carte pour le signataire ou signataire* 

20 

D'autres caracteristiques et avantages de 
1' invention apparaitront a la lecture de la description 
d£taillee qui suit et qui est faite en reference aux 
dessins annexes dans lesquels : 
25 -la figure 1 deer it 1' organigramme d'une carte 

mettant en oeuvre le systeme propose par la presente 
invention; 

- la figure 2 decrit les donnees transmises 
entre la carte et le terminal au moment de 1' utilisation 

30 du coupon; 

la figure 3 decrit 1 ' organigramme d'un 
terminal mettant en oeuvre le systeme propose par la 
presente invention; 

- la figure 4 represente les donnees transmises 
35 entre la carte et l'autorite pendant la phase de 
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chargement des coupons et 1' organisation de la memo ire 
d'une carte apr&s le chargement de n coupons. 

A partir des explications donn£es en pr€arobule, 
5 on aura compris que le principal avantage des coupons de 
signature pr§calcules selon la methode de 1' invention 
r6si.de dans la vitesse de calcul d'une signature par une 
carte bas€e sur un simple microcontrdleur de 8 bits et le 
faible taux d' occupation de memo ire des coupons stock€s. 
10 Typiquement le calcul de signature peut se faire en 300ms 
environ, temps de transmission compris, et chaque coupon 
peut utiliser de deux & quatre octets de mfemoire EPROM ou 
EEPROM . 

On va deer ire 1' invention dans cet exemple, 
15 &tant entendu que ce n'est qu'un exemple, bien qu'il soit 
consid6re ici comme le plus avantageux. 

Le proc6de de generation de signatures se 
decompose dans ce cas en deux phases distinctes : le 
chargement des coupons par l'autorite ayant d61ivr6 la 
20 carte, puis 1' utilisation de ces coupons par la carte, 
face & un terminal ne connaissant pas le secret x de la 
carte • 

Les deux phases font ici appel a des fonctions 
de hachage de deux types differents. On rappelle qu'une 

25 fonction de hachage d'un nombre, repr6sent§ par une 
chaine de bits, consiste en la production d'une autre 
chalne de bits de longueur determinfee, longueur qui est 
ou non la meme que celle de la chaine de depart, et ceci 
a partir de fonctions logiques executees sur des groupes 

30 de bits de la chaine de depart. 

Des fonctions de hachage simples sont utilisees, 
notfees SHA(ch) pour le hachage d'une chaine ch. Ces 
fonctions peuvent fetre des fonctions de hachage 
classiques, telles que celles publiees dans la recente 

35 norme amfericaine SHA (Secure Hash Algorithm - FIPS PUB 
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XX, du ler F6vrier 1993, dans "Digital Signature 
Standard" ) • Ces f onctions peuvent etre la f onction MDA 
ou MD5 ou un hachage base sur l'algorithme DES (Data 
Encryption Standard) . 

5 D'autres f onctions, dites hachage complexe, 

seront utilis6es aussi. Leur caracteristique utilis€e ici 
n'est pas tant d'etre une f onction de hachage que d'fetre 
une fonction de ralentissement imposee lors de certains 
traitements de signaux, et aussi d'etre une fonction de 

10 compression reduisant la longueur des coupons de 
signature qu'on veut sauvegarde dans la carte a puce. 

Cette fonction de ralentissement et de 
compression est notee ci-apres H(ch) pour le traitement 
d'une chalne ch. 

15 Toutes sortes de fonctions de ralentissement et 

compression pourraient etre utilisees dans 1' invention. A 
titre d'exemple on a pris comme fonction H(ch) la 
fonction suivante, oQ SHA(ch) designe une fonction de 
hachage class igue : 

20 H(ch) « SHA[SHA{SHA(ch) } SHA(ch) mod p] mod 2 e , 

oil e est la longueur desiree pour les coupons, par 
exemple 16 a 40 bits soit quelques octets. 

Dans tout ce qui suit, on reprendra un 
algorithme directement inspire de l'algorithme DSA, pour 

25 montrer comment on met en oeuvre les particularites 
originales de 1' invention. Les parametres p, q, g, x, y 
utilises sont ceux definis precedemment a propos de 
l'algorithme DSA. 

30 CHARGEMENT DE COUPONS PANS LA CARTE 

Cest l'etape preliminaire, mais bien sQr 
seulement dans le cas od on calcule a l'avance, en dehors 
de la carte, la premiere partie r de la signature {r, s} 
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et otx on charge plusieurs valeurs possibles ri dans la 
carte. 

1. La carte remet a zero un compteur en 
m6moire non volatile (EPROM ou EEPROM) , genere un alea J 

5 (de 10 a 20 octets par exemple) , 1'enregistre en mSmoire 
non-volatile, et l'envoie a l'autorite de contrdle qui 
connait le secret x de la carte et qui calcule, pour i = 
1 a n, plusieurs valeurs ki et plusieurs valeurs ri : 

10 ki « {l/(SHA(x, J, i)} mod q 

et ri= H(g ki mod p) ; H est la fonction de 
ralentissement et de compression. 

On pourrait envisager aussi que la carte calcule 
15 pour chaque i la valeur SHA(x, J, i) et l'envoie a 
l'autorite de controle; celle-ci calcule les nombres ri- 

2. L'autorite envoie les nombres ri a la 
carte qui les stocke en memoire, en conservant le lien 

20 avec le rep&re i. Les nombres ki ne sont pas conserves. 

Si on se rfefere a l'algorithme DSA, ki 
reprfesente le nombre k aleatoire, modifie a chaque 
nouvelle signature. Mais au lieu d'etre erais par le 
terminal verifieur au moment d'une signature, il sera 

25 recalcule au moment opportun par la carte. Comme il 
depend de i et qu'un coupon d'indice i n'est utilise 
qu'une fois, ki est renouvele a chaque fois. 

UTILISATION D'UM COUPON PQ ITR SIGNER UH 

30 MESSAGE 



Lorsque la carte desire signer un message, le 
protocole suivant est utilise apres transmission du 
message m (de preference sous forme de fonction hachee du 
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veritable message, selon une fonction de hachage connue 
du terminal qui regoit le message) : 

1. La carte 

5 - extrait l'etat i du compteur 

(reprfesentant l'indice courant de la signature qui va 
fitre produite) , 

- extrait de la memoire non volatile 
l'alea J, le secret x, le coupon r^ correspondant a 

0 l'indice i; 

- calcule I = SHA(x, J, i) ; cette 
valeur I n'est autre que 1' inverse modulaire de ki qui a 
servi au calcul du coupon ri ; 

- calcule A = xSHA(ri) mod q 

5 - incremente i (pour une prochaine 

signature) 

- envoie r^ au terminal verifieur; 
cet envoi repr§sente la premiere partie de la signature. 

0 2. Le terminal genere alors un alea a, pour 

declencher la generation de la deuxieme partie de 
signature s; cet envoi constitue en quelque sorte le 
lancement d'un d6fi a la carte car le terminal vferifieur 
d&clenche en meme temps un chronometre pour mesurer le 

5 temps de reponse de la carte a ce defi. 

La signature s que la carte doit envoyer, compte 
tenu de la for mule de verification f(r^ , m, s, a) « r^ 
qui est prevue dans le verifieur est 

s = [xSHA(ri ) rood q + SHA(m, a)]/ ki mod q 

to 

Cette f ormule fait intervenir le coupon ri , le 
secret x de la carte, le message m envoye, le nombre ki , 
et l'al&a a envoye par le verifieur a titre de defi. 
Cette f ormule est differente de celle qui a ete donnfee 
15 pour l'algorithme DSA : s = (m + xr) /k pour plusieurs 
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raisons : elle doit faire intervenir l'alea a envoye a 
titre de d6fi, pour que le vSrifieur soit sCLr que le 
calcul chronomfetre de signature s ne commence que lorsque 
l'al6a a est parvenu & la carte. C'est pour cela qu'on 

5 utilise un hachage de m et de l'alea a, SHA (m, a), au 
lieu de m. D' autre part on utilise de pr6f6rence SHA(ri) 
plut6t que ri pour utiliser une valeur de coupon sous 
forme de chalne plus longue que ri qui est une chalne 
tr6s courte. Ceci renforce la securite. Mais bien 

10 entendu, si on utilise xSHA(ri) au lieu de xri et SHA(m, 
a) au lieu de m, la formule de verification doit en tenir 
compte, et on verra plus loin que c'est ce qui est fait. 
D'autres variantes de calcul de signature peuvent £tre 
prSvues, & condition s implement que la formule de 

15 verification en tienne compte. 

3. La carte calcule, aussi vite que possible, 
la signature s. Mais comme elle a deja calcul€, avant 
d6clenchement du chronometre, A = xSHA(ri) mod q et I = 
20 1/ki = SHA(x # J, i) il ne lui reste qu'a calculer 

s= I.(SHA(m, a) + A) mod q 
Ce calcul peut etre rapide meme pour un 
microcontrdleur simple et peu coQteux de 8 bits, par 
exemple type 8051 de Intel ou 6805 de Motorola. Des que 
25 le calcul est termine, la carte renvoie la signature s. 



4. Des reception de s, le terminal arrete le 

chronomfetre et effectue les calculs de verification de 
l'authenticite de la signature. Si la signature a 6t6 
30 correctement calculee selon la formule ci-dessus, alors 
on peut verifier qu'on doit avoir l'egalite suivante : 

[y (SHA(ri) /s) mod q g (SHA(m, a) /s) mod q mod p] 
= g kl mod p 

35 
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Le verifieur ne possede pas ki. II possede = 
H(g^ x mod p) ; H est la fonction de ralentissement et de 
compression. 

L'€galite doit done §tre transformee en : 

Hty (SHA(ri)/s) mod q g (SHA(m, a) /s) mod q mod p] 
= H(g ki mod p) = ri 



Le verifieur dispose de r^, de s, de q, de p, de 
10 g, de m, de a, de la fonction de hachage simple SHA, et 
de la fonction de ralentissement et de compression H. II 
vferifie done l'egalite ci-dessus. 

Si l'egalite est obtenue et si la signature a 
6t6 renvoyee dans un delai inferieur a un seuil 
15 determine, la signature est acceptee par le verifieur . Si 
une des deux conditions n'est pas remplie, elle n'est pas 
accept£e . 

A titre d'exemple pour 1' evaluation de la duree 
on peut donner les indications suivantes : appelons T le 

20 temps n&cessaire pour evaluer H(ch) sur un ordinateur 
extrSmement puissant, voire le plus puissant qu'on 
connaisse aujourd'hui. On peut considerer que la fonction 
de ralentissement H, aboutissant a des chalnes de 
longueur e (H ayant egalement une f onctionnalit6 de 

25 compression) est suf f isamment complexe, et en tous cas 
doit €tre choisie suf f isamment complexe, pour que pour 
toute valeur z et tout ordinateur existant, la recherche 
d'une nouvelle valeur ch' telle que z = Hfch') necessite 
un temps T.2 e . 

30 Etant donne que quelqu'un qui ignore le secret 

de la carte ne peut rechercher s que par tatonnements a 
partir de la formule de verification (recherche 
exhaustive), il ne pourra pas, meme avec un seul essai, 
trouver une valeur correcte de s si on choisit de mettre 

35 un seuil de duree de renvoi de signature tres inferieur a 
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cette valeur T.2 e , par exemple 1 millioni&me de cette 
valeur. 

Ceci donne une indication de la m£thodologie a 

suivre pour choisir la fonction de ralentissement H et la 
5 dur£e de seuil. 

De fagon gen£rale, les principes qui ont et6 
expliqufes ci-dessus et illustr€s par un exemple sont 
applicables a d'autres protocoles de signature. En 
0 particulier ils sont applicables a d'autres protocoles 
dans lesguels un precalcul de coupons de signature est 
possible, en particulier les protocoles suivants : 

- Rueppel-Nyberg : "New signature schemes based 
on the discrete logarithm problem" public dans les actes 

5 du colloque Eurocrypt 94 . 

Schnorr : "Efficient identification and 
signatures for smart-cards", publie dans les actes du 
colloque Crypto '89. 

- El-Gamal : "A public-key cryptosystem and a 
0 signature scheme based on discrete logarithms" public 

dans la revue IEEE Transactions on Information Theory, 
vol IT30, n°4, pages 469-472. 

- Guillou-Quisquater : "A practical zero- 
knowledge protocol fitted to security microprocessors 

5 minimizing both transmission and memory", publie dans les 
actes du colloque Eurocrypt '88 et "A paradoxical 
identity-based signature scheme resulting from zero- 
knowledge", publie dans les actes du colloque Crypto' 88. 

- d'autres systemes a cle publique bases sur le 
0 logarithme discret, ou 1' Equation (m + xr) /k mod q est 

remplac£e par une autre egalite faisant intervenir m, x, 
r, et k (comme explique dans 1' article "Meta Message 
Recovery and Meta Blind Signature schemes based on the 
discrete logarithm problem and their applications", 
5 public par Horster et al. dans les actes du colloque 



WO 96/33567 



PCT/FR96/00612 



20 

Asiacrypt' 94) ou encore en utilisant plusieurs aleas 
distincts k ou plusieurs secrets distincts x dans la meme 
signature. 

L' invention est applicable a la signature de 
5 cheques electroniques et permet alors de faire de tels 
cheques avec des cartes a puces & faible coQt (resultant 
de 1 'utilisation d'un microprocesseur de 8 bits et d'une 
m6moire non volatile de taille limitee) . 

En effet, le message m peut representer une 
10 transaction effectuee par la carte avec le terminal qui 
est par exemple le terminal de paiement d'un commergant. 
Ce message m est sign£. Le terminal verifie la signature 
pour accepter le message, done la transaction, mais ce 
terminal est 6galement relie a une autorite centrale de 
15 gestion (une banque par exemple) qui doit pouvoir elle- 
m§me contrdler le message et 1' authenticity de la 
signature avant de debiter le coropte du signataire d'une 
part et/ou crediter le compte du commergant d' autre part. 

Ainsi, apres avoir execute toute la procedure de 
20 signature et verification de signature decrite en detail 
ci-dessus, le terminal envoie a 1' autorite de controle le 
cheque electronique {i, ri, a, s, m} , et 1' autorite 
s' assure que la signature s est la bonne signature, 
e'est-a-dire que : 
25 s = SHA(x, J, i)[SHA(m, a) + xSHA(ri) ] mod q 

et 1' autorite credite le compte du terminal du 
montant de la transaction definie dans le message m. 

On notera que dans le calcul de la signature par 
la carte, on peut utiliser l'expression SHA(m, i, a) au 
30 lieu de SHA (m, a). Auquel cas il faut bien sdr que la 
formule de verification par le terminal en tienne compte 
et soit done : 

H[y (SHA(ri)/s) mod q g (SHA(m, i, a)/s) mod q mod p] « ri 

35 
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et que la formule de verification de signature 
par l'autorite en tienne contpte egalement et soit : 

s = SHA(x, J , i)[SHA(ro, i, a) + xSHA(ri)] mod q 

5 Si on se rSffere aux figures, chaque carte d puce 

se compose d ' une unite de tra itement ( CPU) 11 , d ' une 
interface de communication 10, une roemoire vive 13 (RAM) 
et/ou une mfimoire non inscriptible (ROM) 14 et/ou une 
m&noire non volatile inscriptible ou rSinscriptible 

10 (EPROM ou EEPROM) 15. 

L' unite de traitement 11 et/ou la ROM 14 de la 
carte & puce contiennent des programmes ou des ressources 
de calcul correspondant a 1' execution des Stapes de 
calcul effectuees par la carte lors du chargement des 

15 coupons et lors de la signature d'un message ou 
1' Emission d'un cheque electronique. Ces programmes 
comportent notamment les regies de calcul pour la 
generation de s et les regies d' utilisation de la 
fonction de hachage SHA. 1/ unite de calcul et les 

20 programmes en ROM comportent egalement les ressources 
nScessaires a des multiplications, additions et 
reductions modulaires. Certaines de ces operations 
peuvent etre regroupfees (par exemple, la reduction 
modulaire peut etre directement integr6e dans la 

25 multiplication) • 

De mSme que pour 1'algori throe DSA, la RAM de la 
carte contient le message M et 1'aiea a sur lesquels 
s' applique la fonction de hachage SHA(m, a) ou SHA(m, i, 
a) par exemple. La m6moire non volatile 15 contient 

30 typiquement les parametres q, x, J et le jeu de coupons 
(rjl) prfecalcules. L'indice i est dans un compteur non 
volatile increments a chaque nouvelle generation de 
signature et remis a zero lors du chargement de coupons. 

L' unite de traitement de la carte commande, via 
35 des bus d'adresses et de donnees 16 et 1' interface de 
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communication 10, les operations de lecture et d'fecriture 

en mfemoire 13, 14, et 15. 

Chague carte a puce est protfegee du monde 

extferieur par des protections physiques 17. Ces 
5 protections devraient fetre suffisantes pour empecher 

toute entite non autorisee d'obtenir la cle secrete x. 

Les techniques les plus utilisees de nos jours en la 

matidre sont 1' integration de la puce dans un module de 

s£curite et l'fequipement des puces de dispositifs 
10 capables de detecter des variations de temperature, de 

lumidre, ainsi que des tensions et frequences d'horloge 

anormales. Des techniques de conception particulieres 

telles que l'embrouillage de l'acces memoire sont 

egalement utilisees. 
15 Le terminal se compose guant a lui au minimum 

d'une unite de traitement (CPU) 30 et des ressources 

memo ires 32 , 33, 34. 

Le CPU 30 commande, via les bus d'adresse et de 

donnees 35 et 1' interface de communication 31, les 
20 operations de lecture et d'ecriture dans les memoires. 32, 

33, 34. 

Le CPU 30 et/ou la ROM 3 4 de l'autorit6 
contiennent des programmes ou ressources de calcul 
permettant de mettre en oeuvre les regies de calcul et 

25 fonctions de hachage, ralentissement et compression, 
multiplication, addition, inversion modulaire, 

exponentiation et reduction modulaire, necessaires au 
calcul des coupons et a la verification de signature. 
Certaines de ces operations peuvent etre regroupfees 

30 (multiplication et reduction modulaire par exemple) . 

L' ensemble de 1' invention a ete decrite a propos 
de cartes a puces, ma is on comprendra qu'elle est 
applicable lorsque l'organe signataire est un autre 
objet, et en particulier un objet portable tel que des 

35 cartes PCMCIA qui sont des sortes de cartes a puce a 
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protocoles de transmission parallele et non serie, ou des 
badges, des cartes sans contacts, etc. La communication 
peut s'effectuer entre la carte et le terminal soit 
directement par des signaux electroniques, soit par 
5 transmission a distance, hertz ienne ou infrarouge. 
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R E VEND I CAT IONS 

1. Procede de signature electronique, 
comportant la generation d'une signature num&rique (s) 
par un organe signataire qui calcule cette signature en 
utilisant une donnee aleatoire (a) envoyee par un organe 

5 v6rifieur, et la verification de la signature par le 
vferifieur qui verifie si une condition mathematique 
faisant intervenir la signature envoyee et la donnee 
aleatoire est remplie, caracterise en ce que la 
verification de la signature envoyee par le signataire au 

10 vferifieur utilise en outre une etape de chronometrage de 
la duree s'ecoulant entre un instant ou la donnee 
al&atoire est envoyee par le verif ieur au signataire et 
1' instant oCl la signature utilisant cette donnee revient 
au verif ieur apres calcul par 1' organe signataire, la 

15 signature etant acceptee si le temps ecoule est inferieur 
a une seuil determine et si la condition mathematique est 
verif ifee. 

2. Procede selon la revendication 1, caracterise 
20 en ce que le calcul de la signature et la verification 
sont effectues a partir d'un algorithme du type dans 
lequel la generation de signature produit deux valeurs 
{r, s}, s etant calcul^e par le signataire a partir de r 
et d'une cle secrete x, et dans lequel la verification de 
25 la signature {r, s} consiste dans la verification d'une 
egalite v = f (r, s) = r entre r et une fonction f de r et 
de s, et en ce que la fonction f est choisie suf f isamment 
complexe pour que la duree de recherche d'une valeur s a 
partir de cette egalite en 1' absence de connaissance de 
30 la cle secrete x soit tres super ieure, meme si elle est 
faite par un calculateur puissant, a la duree de calcul 
et de transmission par la carte de la valeur s a partir 
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de r et de la cl6 secr&te, et ceci meme si la carte 
utilise un microprocesseur peu puissant. 

3. Proc6d6 selon la revendication 2, caracteris§ 
5 en ce que la fonction f(r, s) fait intervenir aussi un 

message in & signer. 

4. Proc6d§ selon 1'une des revendications 2 et 3, 
caract6ris6 en ce que la fonction f comporte des calculs 

10 mathfematiques suivis d'une fonction de hachage complexe 
(H) r£alisant a la fois un ralentissement de l'obtention 
d'un rfesultat de calcul et une compression de longueur de 
ce rfesultat. 

15 5. Procede selon la revendication 4, caracterise 

en ce que la premiere partie de signature r est etablie 
par d'autres calculs mathematiques, suivis de la mSme 
fonction de hachage complexe (H) . 

20 6. ProcSde de generation de signature et * de 

verification selon l'une des revendications 1 a 5, 
caract6ris6 en ce que la signature envoy6e par le 
signataire comporte au moins un coupon de signature ri et 
un complement de signature s qui est calcule a partir du 

25 coupon r^ et d'une cle secrete x de la carte, le proc6d6 
permettant la verification de signature par le v6rifieur 
a l'aide d'une formule de verification du type 
v = f (ri, s) = ri, 

ce procfedfe etant caractferise en ce que 
30 a. le coupon de signature est etabli a 

l'avance par une autorite certifiee, en deux etapes : 

- calcul d'un nombre represents par une 
chaine binaire longue, a l'aide d'une formule 
mathfimatique faisant intervenir des grands nombres 
35 binaires; 
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- et modification du resultat par une 
fonction de compression complexe reduisant fortement la 
longueur de ce resultat, 

b. une serie de coupons differents de faible 
5 longueur sont ainsi prepares a l'avance et stockes dans 

1' organe signataire, 

c. la generation de signature comporte 
1' envoi d'un coupon ri et d'un complement de signature s 
calcule a partir de et x, 

10 d. la verification de signature comporte un 

calcul mathematique suivi de la meme fonction de 
compression complexe que celle qui a servi a 
1' Elaboration du coupon, et le resultat est compare au 
coupon pour la verification de signature. 

15 

7. Proced6 de generation de signature electronique 
pouvant utiliser une etape de chronometrage selon la 
revendication 1, ce procede comportant la generation 
d'une signature par un organe signataire et la 

20 verification de la signature par un organe verifieur, 
caracterise en ce que la signature envoyee par le 
signataire comprend au moins un coupon de signature ri 
et un complement de signature s qui est calcuie a partir 
du coupon ri et d'une cle secrete x de la carte, la 

25 verification de signature par le verifieur etant 
effectuee a l'aide d'une formule de verification du type 
v = f (ri, s) = ri, et en ce que : 

a. le coupon de signature est etabli a 

l'avance par une autorite certifiee, en deux etapes : 

30 - calcul d'un nombre represente par une 

chalne binaire longue, a l'aide d'une formule 
mathematique faisant intervenir des grands nombres 
binaires; 
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- et modification du resultat par une 
fonction de compression complexe reduisant fortement la 
longueur de ce resultat, 

b. une serie de coupons dif f erents de f aible 
5 longueur sont ainsi prepares a l'avance et stock£s dans 

l'organe signataire, 

c. la generation de signature comporte 
1' envoi d'un coupon r^ et d'un complement de signature s 
calcul6 a partir d'au moins ri et x, 

10 d. la verification de signature comporte un 

calcul mathfematique suivi de la meme fonction de 
compression complexe que celle qui a servi a 
1' elaboration du coupon, et le resultat est compare au 
coupon pour la verification de signature. 

15 

8. Procede selon la revendication 7, caracterise 
en ce que la fonction de compression est une fonction de 
hachage complexe. 

20 9. Procfede selon 1'une des revendications 7 et 8, 

caracteris4 en ce que le calcul du coupon est effectuS a 
partir d'un al6a (J) engendre au depart par la carte et 
stockfe dans la carte pour etre reutilise lorsque le 
coupon sera utilise pour 1' etablissement d'une signature. 

25 

10. Procfede selon l'une des revendications 7 a 9, 
caracteris6 en ce que, pour declencher la generation de 
signature par la carte, l'organe verifieur envoie un alea 
a a la carte, declenche alors un chronomStre, mesure le 

30 temps mis par la carte pour renvoyer le complement de 
signature s calcule a partir d'au moins l'al6a a et la 
cl6 secrete x de la carte, effectue un calcul de 
verification de signature a partir d'au moins la 
signature s et l'aiea a, et accepte la signature si le 

35 calcul v6rifie une condition predfeterminee et si le temps 
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mis par la carte pour renvoyer la signature s utilisant 
l'alea a est inferieur a un seuil predetermine. 

11. Procede selon 1'une des revendications 7 a 10, 
5 caracterise en ce que le complement de signature s est 

etabli a partir d'une fonction de hachage SHA(m, a) d'un 
message m a signer et de l'alea a, et en ce que la meme 
fonction de hachage est utilisee pour la verification de 
signature, 

10 

12. Procede selon 1'une des revendications 7 a 11, 
caracterise en ce que le complement de signature est 
etabli par un calcul faisant intervenir un alea (J) 
stocke dans la carte et ayant servi a etablir le coupon 

15 de signature. 

13. Procede selon la revendication 12, caracterise 
en ce que ce calcul faisant intervenir l'alea (J) stocke 
dans la carte fait aussi intervenir une fonction de 

20 hachage SHA(x, J, i) portant au moins sur cet alea (J) et 
sur un indice i representant un numero du coupon utilise, 
cette meme fonction de hachage SHA(x, J, i) ayant ete 
precedemment utilisee au cours du calcul de chaine 
binaire longue prevu dans le calcul du coupon 

25 correspondant . 

14* Procede selon 1'une des revendications 7 a 13, 
caracterise en ce que le complement de signature est 
etabli par un calcul faisant intervenir une fonction de 
30 hachage du coupon, la meme fonction de hachage du coupon 
etant utilisee pour la verification de signature. 

15 o Procede de generation de signatures numeriques 
de messages par un dispositif signataire et de 
35 verification de ces signatures par un dispositif 
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v6rifieur, le dispositif signataire comportant des moyens 
de calcul, de communication et de retention de donnfees 
comprenant au moins une memoire non volatile programmable 
61ectriquement, procfede selon lequel on prepare des 
5 donnfees chiffrees constituant des coupons de signature r£ 
que l'on charge dans la memoire non-volatile et que le 
dispositif signataire utilise pour signer des messages, 
principalement caracterisS en ce que : 

- les coupons sont compresses par application 
10 d'une fonction de compression (H) , dite encore fonction 

de hachage, par une autorite certifiee avant d'etre 
charges dans la memoire, 

et en ce qu'il comporte les echanges suivants : 

- un message m est transmis et ce message doit 
15 etre certifie par une signature; 

le signataire envoie un coupon ri au 

vSrif ieur , 

- le verifieur envoie un nombre aleatoire a au 
signataire et declenche un chronometre, 

20 - le signataire calcule la signature s . du 

message et 1' envoie au verifieur, 

- le verifieur arrete le chronometre et verifie 
que la signature a ete obtenue par le secret detenu dans 
la carte et le coupon ri regu; cette verification est 

25 faite en v6rifiant 1'egalite suivante : v = f (ri, s, m) = 
*i 

- le verifieur accepte la signature si la 
condition de verification v = ri est remplie et si le 
temps chronomStrS ne dSpasse pas une duree predetermine 

30 impart ie. 
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Method for proving the authenticity of an entity and/or the integrity of a 
message by means of a public exponent equal to the power of two 

The present invention relates to the methods, systems and devices designed to 
prove the authenticity of an entity and/or the integrity and/or authenticity of a 
5 message. 

The patent EP 0 311 470 Bl, whose inventors are Louis Guillou and Jean- 
Jacques Quisquater, describes such a method. Hereinafter, reference shall be made 
to their work by the terms "GQ patent" or "GQ method". Hereinafter, the expression 
"GQ2", or "GQ2 invention" or "GQ2 technology" shall be used to describe the 

10 present invention. — 

According to the GQ method, an entity known as a "trusted authority" assigns 
an identity to each entity caiied a "witness" and computes its RSA signature. In a 
customizing process, the trusted authority gives the witness an identity and signature. 
Thereafter, the witness declares the following: "Here is my identity; I know its RSA 

15 signature ". The witness proves that he knows the RSA signature of his identity 
without revealing this signature. Through the RSA public identification key 
distributed by the trusted authority, an entity known as a "controller" ascertains, 
without obtaining knowledge thereof, that the RSA signature corresponds to the 
declared identity. The mechanisms using the GQ method run "without transfer of 

20 knowledge". According to the GQ method, the witness does not know the RSA 
private key with which the trusted authority signs a large number of identities. 

The GQ technology described here above makes use of RSA technology. 
However, while the RSA technology truly depends on the factorization of the 
modulus n, this dependence is not an equivalence, indeed far from it, as can be seen 

25 in what are called multiplicative attacks against various standards of digital 
signatures implementing the RSA technology. 

The goal of the GQ2 technology is twofold: firstly to improve the performance 
characteristics of RSA technology and secondly to avert the problems inherent in 
RSA technology. Knowledge of the GQ2 private key is equivalent to knowledge of 

30 the factorization of the modulus n. Any attack on the triplets GQ2 leads to the 



factorization of the modulus n: this time there is equivalence. With the GQ2 
technology, the work load is reduced for the signing or self-authenticating entity and 
for the controller entity. Through a better use of the problem of factorizing in terms 
of both security and performance, the GQ2 technology averts the drawbacks of RSA 
technology. 

The GQ method implements modulo computations of numbers comprising 512 
bits or more. These computations relate to numbers having substantially the same 
size raised to powers of the order of 2 16 + 1. Now, existing microelectronic 
infrastructures, especially in the field of bank cards, make use of monolithic self- 
programmable microprocessors without arithmetical coprocessors. The work load 
related to multiple arithmetical applications involved in methods such as the GQ 
method leads to computation times which, in certain cases, prove to be 
disadvantageous for consumers using bank cards to pay for their purchases. It may 
be recalled here that, in seeking to increase the security of payment cards, the 
banking authorities have raised a problem that is particularly difficult to resolve. 
Indeed, two apparently contradictory questions have to be resolved: on the one hand, 
increasing security by using increasingly lengthy and distinct keys for each card 
while, on the other hand, preventing the work load from leading to excessive 
computation times for the user. This problem becomes especially acute inasmuch as 
it is also necessary to take account of the existing infrastructure and the existing 
microprocessor components. 

The GQ2 technology provides a solution to this problem while boosting 
security. 

Method 

More particularly, the invention relates to a method designed to prove the 
following to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

This proof is established by means of all or part of the following parameters or 
derivatives of these parameters: 



- m pairs of private values Q M Q 2 , ... Q m and public values G u G 2 , ... G m 
(m being greater than or equal to 1), 

- a public modulus n constituted by the product of f prime factors p L , p 2 , ... p f 
(f being greater than or equal to 2), 

- a public exponent v. 

Said modulus, said exponent and said values are related by relations of the type 

Gj • Q| v =s 1 . mod n or G ; = Q; v mod n . 
Said exponent v is such that 

v = 2 k 

where k is a security parameter greater than 1 . 

Said public value G { is the square gi 2 of a base number g { smaller than the f 
prime factors p l9 p 2 , ... p f . The base number g ; is such that 
the two equations: 

x 2 = & mod n and x 2 = - g { mod n 
cannot be resolved in x in the ring of integers modulo n and such that: 
the equation: 

x v = gj 2 mod n 
can be resolved in x in the ring of the integers modulo n. 

Said method implements an entity called a witness in the following steps. Said 
witness entity has f prime factors p s and/or parameters of the Chinese remainders of 
the prime factors and/or the public modulus n and/or the m private values Q s and/or 
the ff.m components Q iyj (Q Uj = Q i mod pj) of the private values Qj and of the public 
exponent v. 

The witness computes commitments R in the ring of integers modulo n. Each 
commitment is computed: 

° either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 
° or 

°°by performing operations of the type: 
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Ri = rj v mod Pi 

where r ; is a random value associated with the prime number Pi such that 0 < r t < Pi , 
each r ; belonging to a collection of random values {r t , r 2 , ... r f }, 
° ° then by applying the Chinese remainder method. 
5 The witness receives one or more challenges d. Each challenge d comprises m 

integers d t hereinafter called elementary challenges. The witness, on the basis of 
each challenge d, computes a response B, 

° either by performing operations of the type: 

D = r . Q, dl . Q 2 d2 . ... Q m dm mod n 
10 * or - 

° ° by performing operations of the type: 

D, = r ; . Q u dl . Q it2 d2 . ... Qi, m dm mod Pi 
and then by applying the Chinese remainder method. 

The method is such that there are as many responses D as there are challenges 
15 d as there are commitments R, each group of numbers R, d, D forming a triplet 
referenced {R, d, D}. 

Case of the proof of the authenticity of an entity 
In a first alternative embodiment, the method according to the invention is 
designed to prove the authenticity of an entity known as a demonstrator to an entity 
20 known as the controller. Said demonstrator entity comprises the witness. Said 
demonstrator and controller entities execute the following steps: 
° Step 1: act of comimitiment R 

At each call, the witness computes each commitment R by applying the 
process specified here above. The demonstrator sends the controller all or part of 
25 each commitment R. 

° Step 2: act of challenge d 

The controller, after having received all or part of each commitment R, 
produces challenges d whose number is equal to the number of commitments R and 
sends the challenges d to the demonstrator. 
30 • Step 3: act of response D 



The witness computes the responses D from the challenges d by applying the 
above-specified process. 

° Step 4: act of checking 

The demonstrator sends each response D to the controller. 

First case: the demonstrator has transmitted a part of each commitment 

R 

If the demonstrator has transmitted a part of each commitment R, the 
controller, having the m public values Gj, G 2 , G m , computes a reconstructed 
commitment R\ from each challenge d and each response D, this reconstructed 
commitment R' satisfying a relationship of the type 

R f s Gx dl . G 2 d2 • G m dm . D v mod n 
or a relationship of the type 

R' = D v /G! dl . G 2 d2 . G m dm . mod n 

The controller ascertains tliat each reconstructed commitment R f reproduces 
all or part of each commitment R that has been transmitted to it. 

Second case: the demonstrator has transmitted the totality of each 
commitment R 

If the demonstrator has transmitted the totality of each commitment R, the 
controller, having the m public values Gj, G2, G m , ascertains that each 
commitment R satisfies a relationship of the type 

R = Gi dl . G 2 d2 . ». G m dm . D v mod in 
or a relationship of the type 

R = D v /Gi dl . G 2 d2 . ... G m dm • mod n 
Case of the proof of the integrity of the message 

In a second alternative embodiment capable of being combined with a first 
one, the method of the invention is designed to provide proof to an entity, known as 
the controller entity, of the integrity of a message M associated with an entity called 
a demonstrator entity. Said demonstrator entity comprises the witness. Said 
demonstrator and controller entities perform the following steps: 

0 Step 1: act of commitment R 
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At each call, the witness computes each commitment R by applying the 
process specified here above. 

° Step 2: act of challenge d 

The demonstrator applies a hashing function h whose arguments are the 
5 message M and all or part of each commitment R to compute at least one token T. 
The demonstrator sends the token T to the controller. The controller, after having 
received a token T, produces challenges d equal in number to the number of 
commitments R and sends the challenges d to the demonstrator. 
° Step 3: act of response D 
10 The witness computes 4he responses D from the challenges d by applying the 

above-specified process. 

° Step 4: act of checking 

The demonstrator sends each response D to the controller. The controller, 
having the m public values Gj, G2, G m , computes a reconstructed commitment 
15 R f , from each challenge d and each response D, this reconstructed commitment R f 
satisfying a relationship of the type 

R f = Gi dl . G 2 d2 . ... G m dm . D v mod n 
or a relationship of the type 

R ? = D*7Gi dl . G 2 d2 . ... G m dm . mod n 
20 Then the controller applies the hashing function h whose arguments are the 

message M and all or part of each reconstructed commitment R v to reconstruct the 
token T\ Then the controller ascertains that the token T' is identical to the token T 
transmitted. 

Digital signature of a message and proof of its authenticity 
25 In a third alternative embodiment capable of being combined with the above 

two, the method according to the invention 1 is designed to produce the digital 
signature of a message M by an entity known as the signing entity. Said signing 
entity includes the witness. 

Signing operation 
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Said signing entity executes a signing operation in order to obtain a signed 
message comprising: 

- the message M, 

- the challenges d and/or the commitments R, 
5 - the responses D. 

Said signing entity executes the signing operation by implementing the 
following steps: 

° Step 1: act of commitment R 

At each call, the witness computes each commitment R by applying the 
10 process specified here above. — 

° Step 2: act of challenge d 

The signing party applies a hashing function h whose arguments are the 
message M and each commitment R to obtain a binary train. From this binary train, 
the signing party extracts challenges d whose number is equal to the number of 
15 commitments R. 

° Step 3: act of response D 

The witness computes the responses D from the challenges d by applying the 
above-specified process. 
Checking operation 

20 To prove the authenticity of the message M, an entity called a controller 

checks the signed message. Said controller entity having the signed message carries 
out a checking operation by proceeding as follows. 

° Case where the controller has commitments R, challenges d, responses D 

If the controller has commitments R, challenges d, responses D, the controller 
25 ascertains that the commitments R, the challenges d and the responses D satisfy 

relationships of the type 

R = Gi dl . G2 d2 . - G m dm . D v mod n 

or relationships of the type: 

R = DV/Gi dl . G 2 d2 . ... G m dm . mod n 
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Then the controller ascertains that the message M„ the challenges d and the 
commitments R satisfy the hashing function: 
d = h (message, R) 

• Case where the controller has challenges d and responses D 

If the controller has challenges d and responses D, the controller reconstructs, 
on the basis of each challenge d and each response D, commitments R' satisfying 
relationships of the type 

R' = Gi dl . G 2 d2 . ... G m dm . D v mod n 
or relationships of the type: 

R' s D v /Gx dl . G 2 ... G m dm . mod n 

Then the controller ascertains that the message M and the challenges d satisfy 
the hashing function: 

d = h (message, R') 

• Case where the controller has commitments R and responses D 

If the controller has commitments R and responses D, the controller applies 
the hashing function and reconstructs d' 
d' = h (message, R) 
Then the controller device ascertains that the commitments R, the challenges 
d' and the responses D satisfy relationships of the type 

R = Gx . G 2 d ' 2 . .» G m d 'm . Dv mod n 
or relationships of the type: 

R s DV/Gi d?1 . G 2 d ' 2 . ... G m d 'm . mod n 

System 

The present invention also relates to a system designed to prove the following 
to a controller server: 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

This proof is established by means of all or part of the following parameters or 
derivatives of these parameters: 

- m pairs of private values Q„ Q 2 , ... Q m and public values G u G 2 , ... G m 



(m being greater than or equal to 1 ), 

- a public modulus n constituted by the product of said f prime factors p,, p 2 , 
... p f (f being greater than or equal to 2), 

- a public exponent v. 

Said modulus, said exponent and said values are linked by relations of the type 

G; . Q; v = 1 . mod n or Gj = mod n . 
Said exponent v is such that 

v = 2 k 

where k is a security parameter greater than 1 . 

Said public value Gi is the square gj 2 of the base number g; smaller than the f 
prime factors p u p 2 , ... Pf. The base number g, is such that the two equations: 

x 2 = mod n and x 2 s - g ; mod n 
cannot be resolved in x in the ring of integers modulo n and such that the equation: 

x v == gi 2 mod n 
can be resolved in x in the ring of the integers modulo n. 

Said system comprises a witness device, contained especially in a nomad 
object which, for example, takes the form of a microprocessor-based bank card. The 
witness device comprises a memory zone containing the f prime factors p; and/or the 
parameters of the Chinese remainders of the prime factors and/or the public modulus 
n and/or the m private values Q 8 and/or f.m components Q Uj (Q it } = Qjmod pj) of 
the private values Q;and of the public exponent v. The witness device also 
comprises: 

- random value production means, hereinafter called random value production 
means of the witness device, 

- computation mean;,, hereinafter called means for the computation of 
commitments R of the witness device. 

The computation means compute commitments R in the ring of integers 
modulo n. Each commitment is computed: 

° either by performing operations of the type: 

R = r v mod n 
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where r is a random value produced by the random value production means, r being 
such that 0 < r < n, 

° or by performing operations of the type: 

Ri = r s v mod p t 

where r; is a random value associated with the prime number p; such that 0 < rj < p i5 
each rj belonging to a collection of random values {r t , r 2 , ... r f }, then by applying 
the Chinese remainder method. 

The witness device also comprises: 

- reception means hereinafter called the means for the reception of the 
challenges d of the witness -device, to receive one or more challenges d; each 
challenge d comprising m integers d; hereinafter called elementary challenges. 

- computation means, hereinafter called means for the computation of the 
responses D of the witness device for the computation, on the basis of each challenge 
d, of a response D, 

° either by performing operations of the type: 

D = r . Q t dl . Q 2 d2 . ... Q m dm mod n 
• or by performing operations of the type: 

Di s n - Q u dl . Qi, 2 d \ ... Q u J m mod Pi 
and then by applying the Chinese remainder method. 

The witness device also comprises transmission means to transmit one or more 
commitments R and one or more responses D. There are as many responses D as 
there are challenges d as there are commitments R, each group of numbers R, d, D 
forming a triplet referenced {R, d, B}. 

Case of the proof of the authenticity of an entity 

In a first alternative embodiment, the system according to the invention is 
designed to prove the authenticity of an entity called a demonstrator to an entity 
called a controller. 

Said system is such that it comprises a demonstrator device associated with a 
demonstrator entity. Said demonstrator device is interconnected with the witness 
device by interconnection means. It may especially take the form of logic 
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microcircuits in a nomad object, for example the form of a microprocessor in a 
microprocessor-based bank card. 

Said system also comprises a controller device associated with the controller 
entity. Said controller device especially takes the form of a terminal or remote 
server. Said controller device comprises connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to the demonstrator device. 

Said system is used to execute the following steps: 

° Step 1: act of commitment R 

At each call, the mean^ of computation of the commitments R of the witness 
device compute each commitment R by applying the process specified here above. 
The witness device has means of transmission, hereinafter called transmission means 
of the witness device, to transmit all or part of each commitment R to the 
demonstrator device through the interconnection means. The demonstrator device 
also has transmission means, hereinafter called the transmission means of the 
demonstrator, to transmit all or part of each commitment R to the controller device 
through the connection means. 

° Step 2: act of challenge d 

The controller device comprises challenge production means for the 
production, after receiving all or part of each commitment R, of the challenges d 
equal in number to the number of commitments R. The controller device also has 
transmission means, hereinafter known as the transmission means of the controller, 
to transmit the challenges d to the demonstrator through the connection means. 

° Step 3: act of response D 

The means of reception of the challenges d of the witness device receive each 
challenge d coming from the demonstrator device through the interconnection 
means. The means of computation of the responses D of the witness device compute 
the responses D from the challenges d by applying the process specified here above. 

° Step 4: act of checking 



12 



The transmission means of the demonstrator transmit each response D to the 
controller. The controller device also comprises: 

- computation means, hereinafter called the computation means of the 
controller device, 

- comparison means, hereinafter called the comparison means of the 
controller device- 
First case: the demonstrator has transmitted a part of each commitment R. 

If the transmission means of the demonstrator have transmitted a part of each 
commitment R, the computation means of the controller device, having m public 
values Gj, G 2 , ...» G m , compute a reconstructed commitment R\ from each 
challenge d and each response B, this reconstructed commitment R f satisfying a 
relationship of the type 

R' s Gi dl • G 2 d2 . ... G m dm m D v mod n 
or a relationship of the type 

R' - D v /Gi dl . G 2 d2 . ... G m d *n . mod n 
The comparison means of the controller device compare each reconstructed 
commitment R f with all or part of each commitment R received. 

Second case: the demonstrator has transmitted the totality of each 
commitment R 

If the transmission means of the demonstrator have transmitted the totality of 
each commitment R, the computation means and the comparison means of the 
controller device, having m public values Gj, G 2 , G m , ascertain that each 
commitment R satisfies a relationship of the type 

R = Gj d l . G 2 d2 . ... G m dm . D v mod n 
or a relationship of the type 

R = D v /Gi dl . G 2 d2 . ... G m dm . mod n 
Case of the proof of the integrity of a message 

In a second alternative embodiment capable of being combined with the first 
one, the system according to the invention is designed to give proof to an entity, 
known as a controller, of the integrity of a message M associated with an entity 
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known as a demonstrator. Said system is such that it comprises a demonstrator 
device associated with the demonstrator entity. Said demonstrator device is 
interconnected with the witness device by interconnection means. Said demonstrator 
device may especially take the form of logic microcircuits in a nomad object, for 
example the form of a microprocessor in a microprocessor-based bank card. Said 
system also comprises a controller device associated with the controller entity. Said 
controller device especially takes the form of a terminal or remote server. Said 
controller device comprises connection means for its electrical, electromagnetic, 
optical or acoustic connection, especially through a data-processing communications 
network, to the demonstrator device. 

Said system is used to execute the following steps: 

° Step 1: act of commitment R 

At each call, the means of computation of the commitments R of the witness 
device compute each commitment R by applying the process specified here above. 
The witness device has means of transmission, hereinafter called transmission means 
of the witness device, to transmit all or part of each commitment R to the 
demonstrator device through the interconnection means. 

° Step 2: act of challenge d 

The demonstrator device comprises computation means, hereinafter called the 
computation means of the demonstrator, applying a hashing function h whose 
arguments are the message M and all or part of each commitment R to compute at 
least one token T. The demonstrator device also has transmission means, hereinafter 
known as the transmission means of the demonstrator device, to transmit each token 
T through the connection means to the controller device. The controller device also 
has challenge production means for the production, after having received the token 
T, of the challenges d in a number equal to the number of commitments R. The 
controller device also has transmission means, hereinafter called the transmission 
means of the controller, to transmit the challenges d to the demonstrator through the 
connection means. 

° Step 3: act of response D 
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The means of reception of the challenges d of the witness device receive each 
challenge d coming from the demonstrator device through the interconnection 
means. The means of computation of the responses D of the witness device compute 
the responses D from the challenges d by applying the process specified here above. 

° Step 4: act of checking 

The transmission means of the demonstrator transmit each response D to the 
controller. The controller device also comprises computation means, hereinafter 
called the computation means of the controller device, having m public values Gj, 
G 2> — » G m , to firstly compute a reconstructed commitment R f , from each challenge 
d and each response B, this reconstructed commitment R f satisfying a relationship of 
the type 

R f = Gi dl • G 2 d2 . ... G m dm . ©v mod n 

or a relationship of the type 

R' ee BVGi dl . G 2 d2 . ... G m dm , mod n 
then, secondly, compute a token T f by applying the hashing function h having as 
arguments the message M and all or part of each reconstructed commitment R ? . 

The controller device also has comparison means, hereinafter known as the 
comparison means of the controller device, to compare the computed token T f with 
the received token T. 

Digital signature of a message and proof of its authenticity 
In a third alternative embodiment capable of being combined with either or 
both of the first two embodiments, the system according to the invention is designed 
to prove the digital signature of a message M, hereinafter known as a signed 
message, by an entity called a signing entity. The signed message comprises: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D. 
Signing operation 

Said system is such that it comprises a signing device associated with the 
signing entity. Said signing device is interconnected with the witness device by 
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interconnection means. It may especially take the form of logic microcircuits in a 
nomad object, for example the form of a microprocessor in a microprocessor-based 
bank card. 

Said system is used to execute the following steps: 
° Step 1: act of commitment R 

At each call, the means of computation of the commitments R of the witness 
device compute each commitment R by applying the process specified here above. 
The witness device has means of transmission, hereinafter called the transmission 
means of the witness device, to transmit all or part of each commitment R to the 
demonstrator device through the interconnection means. 

° Step 2: act of challenge d 

The signing device comprises computation means, hereinafter called the 
computation means of the signing device, applying a hashing function h whose 
arguments are the message M and all or part of each commitment R to compute a 
binary train and extract, from this binary train, challenges d whose number is equal 
to the number of commitments R. 

° Step 3: act of response B 

The means for the reception of the challenges d of the witness device receive 
each challenge d coming from the signing device through the interconnection means. 
The means for computing the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified here above. 

The witness device comprises transmission means, hereinafter called means 
of transmission of the witness device, to transmit the responses D to the signing 
device through the interconnection means. 

Checking operation 

To prove the authenticity of die message M, an entity known as the controller 
checks the signed message. 

The system comprises a controller device associated with the controller 
entity. Said controller device especially takes the form of a terminal or remote 
server. Said controller device comprises connection means for its electrical, 
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electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to the signing device. 

The signing device associated with the signing entity comprises transmission 
means, hereinafter known as the transmission means of the signing device, for the 
transmission, to the controller device, of the signed message through the connection 
means. Thus the controller device has a signed message comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D. 

The controller device comprises: 

- computation means hereinafter called the computation means of the 
controller device, 

- comparison means, hereinafter called the comparison means of the 
controller device. 

• Case where the controller device has commitments R, challenges d, 
responses D 

Should the controller device have commitments R, challenges d, responses D, 
the computation and comparison means of the controller device ascertain that the 
commitments R, the challenges d and the responses D satisfy relationships of the 
type 

R = Gi dl . G 2 d2 . ... G m dm . D v mod n 

or relationships of the type 

R « Dv/d dl . g 2 d2 • ... G m dm # mod n 

Then, the computation and comparison means of the controller device 
ascertain that the message M, the challenges d and the commitments R satisfy the 
hashing function: 

d = h (message, R) 

♦ Case where the controller device has challenges d and responses D 
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If the controller has challenges d and responses D, the controller reconstructs, on the 
basis of each challenge d and each response D, commitments R' satisfying 
relationships of the type 

R' s Gj dl . G 2 d2 . ... G m dm . Dv mod n 
or relationships of the type: 

R' = D V /G]L dl , G 2 d2 . ». G m dm . mod n 

Then the controller ascertains that the message M and the challenges d satisfy 
the hashing function: 

d = h (message, R') 
° Case where the controller has commitments R and responses B 

If the controller has commitments R and responses B, the computation means 
of the controller device apply the hashing function and compute d' such that 
d' = h (message, R) 

Then the computation and comparison means of the controller device 
ascertain that the commitments R, the challenges d' and the responses D satisfy 
relationships of the type 

R = Gi dl . G 2 d2 . ... G m dm . B v mod n 
or relationships of the type: 

R = BVGi dl . G 2 d2 . ... G m dm . mod n 

Terminal Device 

The invention also relates to a terminal device associated with an entity. The 
terminal device especially take the form of a nomad object, for example the form of a 
microprocessor in a microprocessor-based bank card. The terminal device is 
designed to prove the following to a controller server: 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity. 

This proof is established by means of all or part of the following parameters or 
derivatives of these parameters: 

- m pairs of private values Q,, Q 2 , ... Q m and public values G u Gfe, ... G m 
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(m being greater than or equal to 1), 

- a public modulus n constituted by the product of said f prime factors p,, p 2 , 
... p f (f being greater than or equal to 2), 

- a public exponent v. 

Said modulus, said exponent and said values are related by relations of the type 

G; . Qi v = 1 . mod n or G; = Q/ mod n . 
Said exponent v is such that 

v = 2 k 

where k is a security parameter greater than 1 . 

Said public value G k is the square g ; 2 of the base number g; smaller than the f 
prime factors p l5 p 2 , ... p f . The base number gi is such that: 
the two equations: 

x 2 s g; mod n and x 2 = - g s mod n 
cannot be resolved in x in the ring of integers modulo n and such that 
the equation: 

x v = g 2 mod n 
can be resolved in x in the ring of the integers modulo n. 

Said terminal device comprises a witness device comprising a memory zone 
containing the f prime factors p t and/or the parameters of the Chinese remainders of 
the prime factors and/or the public modulus n and/or the m private values Qj and/or 
ff.m components Q if j (Q uj = Q f imod pj) of the private values Qjand of the public 
exponent v. 

The witness device also comprises: 

- random value production means, hereinafter called random value production 
means of the witness device, 

- computation means, hereinafter called means for the computation of 
commitments R of the witness device, to compute commitments R in the ring of the 
integers modulo n. 

Each commitment is computed: 
• either by performing operations of the type: 
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R = r v mod n 

where r is a random value produced by the random value production means, r being 
such that 0 < r < n, 

° or by performing operations of the type: 

Rj = rj V mod pi 

where r; is a random value associated with the prime number Pi such that 0 < r ; < p ; , 
each ^ belonging to a collection of random values {n , r 2 , ... r f } produced by the 
random value production means, then by applying the Chinese remainder method. 
The witness device also comprises: 

- reception means hereinafter called the means for the reception of the 
challenges d of the witness device, to receive one or more challenges d; each 
challenge d comprising m integers di hereinafter called elementary challenges. 

- computation means, hereinafter called means for the computation of the 
responses D of the witness device, for the computation, on the basis of each 
challenge d, of a response D, 

° either by performing operations of the type: 

B = r . <Q>! dl . Q 2 d2 . ... Q m dm mod n 
° or by performing operations of the type: 

D s ^ n . Qi,i dl . Q u d2 . ... Qi, m dra mod Pi 
and then by applying the Chinese remainder method. 

Said witness device also comprises transmission means to transmit one or more 
commitments R and one or more responses D. There are as many responses D as 
there are challenges d as there are commitments R. Each group of numbers R, d, D 
forms a triplet referenced {R, d, D}. 

Case of the proof of the authenticity of an entity 

In a first alternative embodiment, the terminal device according to the 
invention is designed to prove the authenticity of an entity called a demonstrator to 
an entity called a controller. 

Said terminal device is such that it comprises a demonstrator device 
associated with a demonstrator entity. Said demonstrator device is interconnected 



20 



with the witness device by interconnection means. It may especially take the form of 
logic microcircuits in a nomrd object, for example the form of a microprocessor in a 
microprocessor-based bank card. 

Said demonstrator device also comprises connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to the controller device associated with the controller 
entity. Said controller device especially takes the form of a terminal or remote 
server. 

Said terminal device is used to execute the following steps: 
° Step 1: act of commitment R 

At each call, the means of computation of the commitments R of the witness 
device compute each commitment R by applying the process specified here above. 

The witness device has means of transmission, hereinafter called transmission 
means of the witness device, to transmit all or part of each commitment R to the 
demonstrator device through the interconnection means. The demonstrator device 
also has transmission means, hereinafter called the transmission means of the 
demonstrator, to transmit all or part of each commitment R to the controller device, 
through the connection means. 

° Steps 2 and 3: act of challenge d, act of response B 

The means of reception of the challenges d of the witness device receive each 
challenge d coming from the controller device through the connection means 
between the controller device and the demonstrator device and through the 
interconnection means between the demonstrator device and the witness device. The 
means of computation of the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified here above. 

° Step 4: act of checking 

The transmission means of the demonstrator transmit each response D to the 
controller that carries out the check. 

Case of the proof of the integrity of a message 
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In a second alternative embodiment capable of being combined with the first 
one, the terminal device according to the invention is designed to give proof to an 
entity, known as a controller, of the integrity of a message M associated with an 
entity known as a demonstrator. Said terminal device is such that it comprises a 
demonstrator device associated with the demonstrator entity. Said demonstrator 
device is interconnected with the witness device by interconnection means. It may 
especially take the form of logic microcircuits in a nomad object, for example the 
form of a microprocessor in a microprocessor-based bank card. Said demonstrator 
device comprises connection means for its electrical, electromagnetic, optical or 
acoustic connection, especially through a data-processing communications network, 
to the controller device associated with the controller entity. Said controller device 
especially takes the form of a terminal or remote server. 

Said terminal device is used to execute the following steps: 

° Step 1: act of commitment R 

At each call, the means of computation of the commitments R of the witness 
device compute each commitment R by applying the process specified here above. 
The witness device has means of transmission, hereinafter called the transmission 
means of the witness device, to transmit all or part of each commitment R to the 
demonstrator device through the interconnection means. 

° Steps 2 and 3: act of challenge d, act of response D 

The demonstrator device comprises computation means, hereinafter called the 
computation means of the demonstrator, applying a hashing function h whose 
arguments are the message M and all or part of each commitment R to compute at 
least one token T. The demonstrator device also has transmission means, hereinafter 
known as the transmission means of the demonstrator device, to transmit each token 
T, through the connection means, to the controller device. 

Said controller, after having received the token T, produces challenges d in a 
number equal to the number of commitments R 

The means of reception of the challenges d of the witness device receive each 
challenge d coming from the controller device through the connection means 
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between the controller device and the demonstrator device and through the 
interconnection means between the demonstrator device and the witness device. The 
means of computation of the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified here above. 
° Step 4: act of checking 

The transmission means of the demonstrator send each response D to the 
controller device which performs the check. 

Digital signature of a message and proof of its authenticity 
In a third alternative embodiment capable of being combined with either or 
both of the first two embodiments, the terminal device according to the invention is 
designed to produce the digital signature of a message M, hereinafter known as a 
signed message, by an entity called a signing entity. The signed message comprises: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D. 

Said terminal device is such that it comprises a signing device associated with 
the signing entity. Said signing device is interconnected with the witness device by 
interconnection means. It may especially take the form of logic microcircuits in a 
nomad object, for example the form of a microprocessor in a microprocessor-based 
bank card. Said demonstrator device comprises connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to the controller device associated with the controller 
entity. Said controller device especially takes the form of a terminal or remote 
server. 

Signing operation 

Said terminal device is used to execute the following steps: 
° Step 1: act of commitment R 

At each call, the means of computation of the commitments R of the witness 
device compute each commitment R by applying the process specified here above. 
The witness device has means of transmission, hereinafter called the transmission 
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means of the witness device, to transmit all or part of each commitment R to the 
signing device through the interconnection means. 
° Step 2: act of challenge d 

The signing device comprises computation means, hereinafter called the 
computation means of the signing device, applying a hashing function h whose 
arguments are the message M and all or part of each commitment R to compute a 
binary train and extract, from this binary train, challenges d whose number is equal 
to the number of commitments R. 

° Step 3: act of response B 

The means for the reception of the challenges d of the witness device receive 
each challenge d coming from the signing device through the interconnection means. 
The means for computing the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified here above. The 
witness device comprises transmission means, hereinafter called means of 
transmission of the witness device, to transmit the responses D to the signing device, 
through the interconnection means. 

Controller Device 

The invention also relates to a controller device. The controller device may 
especially take the form of a terminal or remote server associated with a controller 
entity. The controller device is designed to check: 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity. 

This proof is established by means of all or part of the following parameters or 
derivatives of these parameters: 

- m pairs of public values G,, G 2 , G m (m being greater than or equal to 1), 

- a public modulus n constituted by the product of said f prime factors p l9 p 2 , 
... Pr (f being greater than or equal to 2), unknown to the controller device and to the 
associated controller entity, 

- a public exponent v. 

Said modulus, said exponent and said values are related by relations of the type 
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Q • Q, v = 1 • mod n or G 8 ss Q. v mod n . 
where Qj designates a private value, unknown to the controller device, 
associated with the public value G ; . 
The exponent v is such that 

v = 2 k 

where k is a security parameter greater than 1 . 

Said public value G { is the square g s 2 of a base number g { smaller than the f 
prime factors p l9 p 2 , ... Pf. The base number g ; is such that 
the two equations: 

x 2 = gijnod n and x 2 = - g s mod n 
cannot be resolved in x in the ring of integers modulo n and such that: 
the equation: 

x v = gi 2 mod n 
can be resolved in x in the ring of the integers modulo n. 

Case of the proof of the authenticity of an entity 

In a first alternative embodiment, the controller device according to the 
invention is designed to prove the authenticity of an entity called a demonstrator and 
an entity called a controller. 

Said controller device comprises connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to a demonstrator device associated with the demonstrator 
entity. 

Said controller device is used to execute the following steps: 

° Steps 1 and 2: act of commitment R, act of challenge d 

Said controller device also has means for the reception of all or part of the 

commitments R coming from the demonstrator device through the connection means. 
The controller device has challenge production means for the production, 

after receiving all or part of each commitment R, of the challenges d in a number 

equal to the number of commitments R, each challenge d comprising m integers dj 

hereinafter called elementary challenges. 
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The controller device also has transmission means, hereinafter called 
transmission means of the controller, to transmit the challenges d to the demonstrator 
through the connection means. 

° Steps 3 and 4: act of response D, act of checking 

The controller device also comprises: 

- means for the reception of the responses D coming from the demonstrator 
device, through the connection means, 

- computation means, hereinafter called the computation means of the 
controller device, 

- comparison means,, hereinafter called the comparison means of the 
controller device. 

First case: the demonstrator has transmitted a part of each commitment JR. 

If the reception means of the demonstrator have received a part of each 
commitment R, the computation means of the controller device, having m public 
values Gi, G 2 , G m , compute a reconstructed commitment R f , from each 
challenge d and each response D, this reconstructed commitment R' satisfying a 
relationship of the type 

R f s Gi dl . G 2 d2 . ... G m dm m D v mod n 
or a relationship of the type 

R< ^ DVGi dl . G 2 d2 . ... G m dm . mod n 
The comparison means of the controller device compare each reconstructed 
commitment R 1 with all or part of each commitment R received. 

Second case: the demonstrator has transmitted the totality of each 
commitment R 

If the transmission means of the demonstrator have transmitted the totality of 
each commitment R, the computation means and the comparison means of the 
controller device, having m public values G u G 2 , G m , ascertain that each 
commitment R satisfies a relationship of the type 

R ^ Gi dl . G 2 d2 . ... G m dm . D v mo d n 
or a relationship of the type 
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R = Dv/G] dl . G 2 d2 . ... G m dm . mod n 
Case of the proof of the integrity of a message 

In a second alternative embodiment capable of being combined with the first 
one, the controller device according to the invention is designed to give proof to an 
entity, known as a controller, of the integrity of a message M associated with an 
entity known as a demonstrator. 

Said controller device comprises connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to a demonstrator device associated with the demonstrator 
entity. 

Said system is used to execute the following steps: 
° Steps 1 and 2: act of commitment R, act of challenge d 
Said controller device also has means for the reception of tokens T coming 
from the demonstrator device through the connection means. The controller device 
has challenge production means for the production, after having received the token 
T, of the challenges d in a number equal to the number of commitments R, each 
challenge d comprising m integers dj, herein after called elementary challenges. The 
controller device also has transmission means, hereinafter called the transmission 
means of the controller, to transmit the challenges d to the demonstrator through the 
connection means. 

° Steps 3 and 4: act of response D, act of checking 
The controller device also comprises means for the reception of the responses B 
coming from the demonstrator device, through the connection means. Said 
controller device also comprises computation means, hereinafter called the 
computation means of the controller device, having m public values Gx, G 2 , G m , 
to firstly compute a reconstructed commitment R\ from each challenge d and each 
response D, this reconstructed commitment R f satisfying a relationship of the type 

R t s G,dl. G 2 d2 . ... G m dm . D v mod n 
or a relationship of the type 

R' = Dv/Gi dl . G 2 d2 . ... G m dm . mod n 
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then, secondly, compute a token TH by applying the hashing function h having as 
arguments the message M and all or part of each reconstructed commitment R\ 

The controller device also has comparison means, hereinafter called the 
comparison means of the controller device, to compare the computed token T f with 
the received token T. 

Digital signature of a message and proof of its authenticity 

In a third alternative embodiment capable of being combined with either or 
both of the first two embodiments, the controller device according to the invention is 
designed to prove the authenticity of the message M by checking a signed message 
by means of an entity called a controller. 

The signed message, sent by a signing device associated with a signing entity 
having a hashing function h (message, R) comprises: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D. 
Checking operation 

Said controller device comprises connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to a signing device associated with the signing entity. 
Said controller device receives the signed message from the signed device, through 
the connection means. 

The controller device comprises: 

- computation means, hereinafter called the computation means of the 
controller device, 

- comparison means, hereinafter called the comparison means of the 
controller device. 

• Case where the controller device has commitments R, challenges d, responses 
D 

If the controller has commitments R, challenges d, responses D, the 
computation and comparison means of the controller device ascertain that the 
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commitments R, the challenges d and the responses D satisfy relationships of the 
type 

R = Gi dl . G 2 d2 . ... G m dm . DV mod n 
or relationships of the type: 

R = D v /G! d l . G 2 d2 . .» G m dra . mod n 

Then the computation and comparison means of the controller device 
ascertain that the message M, the challenges d and the commitments R satisfy the 
hashing function: 

d f = h (message, R) 
• Case where the controller device has challenges d and responses D 

If the controller device has challenges d and responses D, the computation 
means of the controller, on the basis of each challenge d and each response D, 
compute commitments R' satisfying relationships of the type 

R' = Gi dl . G 2 d2 . ... G m d ™ . D v mod n 
or relationships of the type: 

R' = DV/G! dl . G 2 d2 . ... G m d ™ . mo d n 

Then the computation and comparison means of the controller device 
ascertain that the message M and the challenges d satisfy the hashing function: 

d = h (message, R') 
° Case where the controller device has commitments R and responses D 

If the controller device has commitments R and responses B, the computation 
means of the controller device apply the hashing function and compute d' such that 
d = h (message, R) 

Then the computation and comparison means of the controller device 
ascertain that the commitments R, the challenges d' and the responses D satisfy 
relationships of the type 

R s Gi d' 1 . G 2 d ' 2 . ... G m d 'm . D v mo d n 
or relationships of the type: 

R ^ DV/Gi d'l . G 2 d ' 2 . ... G m d'm . mod n 
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Description 

The goal of GQ technology may be recalled: it is the dynamic authentication 
of entities and associated messages as well as the digital signature of messages. 

The standard version of GQ technology makes use of RSA technology. 
However, although the RSA technology truly depends on factorizing, this 
dependence is not an equivalence, far from it, as can be shown from attacks, known 
as multiplicative attacks, against various digital signature standards implementing 
RSA technology. 

In the context of GQ2 technology, the present part of the invention relates more 
specifically to the use of sets of GQ2 keys in the context of dynamic authentication 
and digital signature. The GQ2 technology does not use RSA technology. The goal 
is a twofold one: first to improve performance with respect to RSA technology and 
secondly to prevent problems inherent in RSA technology. The GQ2 private key is 
the factorization of the modulus n. Any attack on the GQ2 triplets amounts to the 
factorizing of the modulus n: this time there is equivalence. With the GQ2 
technology, the work load is reduced both for the entity that signs or is authenticated 
and for the one that checks. Through an improved use of the problem of 
factorization, in terms of both security and performance, the GQ2 technology rivals 
the RSA technology. 

The GQ2 technology uses one or more small integers greater than 1, for 
example m small integers (m > 1) called base numbers and referenced g h Since the 
base numbers are fixed from g f to g m with m > 1, a public verification key <v, n) is 
chosen as follows. The public verification exponent v is 2* where is a small integer 
greater than 1 (k > 2). The public modulus n is the product of at least two prime 
factors greater than the base numbers, for example / prime factors (f> 2) referenced 
by/?,, from/?, ...py. The /prime factors are chosen so that the public modulus n has 
the following properties with respect to each of the m base numbers from g x to g m . 
- Firstly, the equations (1) and (2) cannot be resolved in x in the ring of the integers 
modulo that is to say that#, and -g, are two non-quadratic residues (mod/7). 
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x 2 = g £ (mod n) . (1) 

x 2 = -g t (mod n) (2 ) 
- Secondly, the equation (3) can be resolved in jc in the ring of the integers modulo 
n. 

* 2 = gf (mod n) (3) 
Since the public verification key <v, n) is fixed according to the base numbers 
from g! to g m with m > 1, each base number g { determines a pair of values GQ2 
comprising a public value G, and a private value Q t : giving m pairs referenced G x Q x 
to G m Q m . The public value G, is the square of the base number gf. giving G, = g?. 
The private value Q t is one of the solutions to the equation (3) or else the inverse 
(mod n) of such a solution. 

Just as the modulus *; is broken down into / prime factors, the ring of the 
integers modulo n are broken down into / Galois fields, from CG(p\) to CG(/y). Here 
are the projections of the equations (1), (2) and (3) in CG(pj). 

x 2 =g i (mod pj) (l.a) 

* 2 ="g, (mod pj) <2.a) 

x 1 * =g 2 (mod Pj ) <3.a) 
Each private value g,- can be represented uniquely by / private components, one 
per prime factor: Q u s g, (mod pj). Each private component Q u is a solution to the 
equation (3. a) or else the inverse (mod pj) of such a solution. After all the possible 
solutions to each equation (3. a) have been computed, the Chinese remainder 
technique sets up all the possible values for each private value Q t on the basis off 
components of Q a to Qg/. Q = Chinese remainders (Q iU Q l2 , ... so as to obtain 
all the possible solutions to the equation (3). 

The following is the Chinese remainder technique: let there be two positive 
integers that are mutually prime numbers a and b such that 0 <a<b, and two 
components X Q from 0 to o-l and X b from 0 to 6-1. It is required to determine 
X= Chinese remainders (X a , X b ) y namely the unique number X from 0 to a.b-l such 
that X a = X (mod a) and X b ^^(mod b). The following is the Chinese remainder 
parameter: a = {b (mod a)}~ { (mod a). The following is the Chinese remainder 
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operation: e = X b (mod a); 8 = X Q -e\ if S is negative, replace S by 8+a; y = a . S 
(mod a); ^=7. b + X b . 

When the prime factors are arranged in rising order, from the smallest p x to the 
greater pf 9 the Chinese remainder parameters can be the following (there are/^l of 
them, namely one less than prime factors). The first Chinese remainder parameter is 
a s {p 2 (mod pi)}* 1 (mod pi). The second Chinese remainder parameter is P= {p\,p 2 
(mod pi)}~ 1 (mod /? 3 ). The i-th Chinese remainder parameter is A = {p x .p 2 . . . . p— x 
(mod/?,)}" 1 (mod p t ). And so on and so forth. Finally, in f-l Chinese remainder 
operations, a first result (mod p 2 times p x ) is obtained with the first parameter and 
then a second result (mod p x .p 2 times p 3 ) with the second parameter and so on and so 
forth until a result (mod p x . ... p/- X times pj), namely (mod «). 

There are several possible depictions of the private key GQ2, which expresses 
the polymorphic nature of the private key GQ2. The various depictions prove to 
be equivalent: they all amount to knowledge of the factorization of the module n 
which is the true private GQ2 key. If the depiction truly affects the behavior of the 
signing entity or self-authenticating entity, it does not affect the behavior of the 
controller entity . 

Here are the main three possible depictions of the GQ2 private key. 

1) The standard representation in GO technolog y consists of the storage of m 
private values 0/ and the public verification key <v, n>; in GQ2, this depiction is 
rivalled by the following two. 2) The optimal representation in terms of work load 
consists in storing the public exponent v, the / prime factors pj, m.f private 
components Qfj and /-I parameters of the Chinese remainders. 3) The optimal 
representation in terms of private key size consists in storing the public exponent v, 
the m basic numbers g; and the /prime factors py, then in starting each use by setting 
up either m private values Qi and the module n to return to the first depiction or else 
m/private components Qf j and/-l parameters of the Chinese remainders to return to 
the second one. 
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The signing or self-authenticating entities can all use the same base numbers. 
Unless otherwise indicated, the m base numbers from g j to g m can then 
advantageously be the m first prime numbers; 

Because the security of the dynamic authentication mechanism or digital 
signature mechanism is equivalent to knowledge of a breakdown of the modulus, the 
GQ2 technology cannot be used to simply distinguish two entities using the same 
modulus. Generally, each entity that authenticates itself or signs has its own GQ2 
modulus. However, it is possible to specify GQ2 moduli with four prime factors, 
two of which are known by an entity and the other two by another entity. 

Here is a first set of GQ2 keys with k = 6, giving v = 64, in = 3, giving three 
base: g, = 3, g 2 = 5 et g 3 = 7, and/= 3, namely a modulus with three prime factors: 
two congruent to 3 (mod 4) and one to 5 (mod 8). It must be noted that g = 2 is 
incompatible with a prime factor congruent to 5 (mod 8). 
Pi = 03CD2F4F21EOEAD60266D5CFCEBB6954683493E2E833 
p 2 = 0583B097E8D8D777BAB3874F2E76659BB614F985EC1B 
P3 = 0C363CD93D6B3FEC78EE13D7BE9D84354B8FDD6DA1FD 
n =/?, .p 2 .p 3 = FFFF81CEA149DCF2F72EB449C5724742FE2A3630D9 
02CC00EAFEE1B957F3BDC49BE9CBD4D94467B72AF28CFBB26144 
CDF4BBDBA3C97578E29CC9BBEE8FB6DDDD 
Qi,i = 0279C60D216696CD6F7526E23512DAE090CFF879FDDE 
Q 2 ,\ = 7C977FC38F8413A284E9CE4EDEF4AEF35BF7793B89 

03.1 = 6FB3B9CO5A03D7CADA9A3425571EF5ECC54D7A7B6F 
Q h2 = 0388EC6AA1E87613D832E2B80E5AE8C1DF2E74BFF502 
02,? = 04792CE70284D16E9A158C688A7B3FEAF9C40056469E 

03.2 = FDC4A8E53E 1 85 A4D A793E93BEE5C636DA73 1BDCA4E 
0,, 3 = 07B C 1 AB 048 A2E AFD AB 59BD40CCF2F65 7 AD8 A6B 5 73 BDE 

02.3 = 0AE855 1E1 16A3AC089566DFDB3AE003CF174FC4E4877 
03.3 = 01682D490041913A4EA5B80D16B685E4A6DD88070501 

0i = D7E1CAF28192CED6549FF457708D50A7481572DD5F2C335D8 
C69E22521B510B64454FB7A19AEC8D06985558E764C6991B05FC2A 
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C74D9743435AB4D7CF0FF6557 

Q 2 = CB 1 ED6B 1 DD649B89B963 8DC33876C98 AC7AF689E9D 1 359E4 
DB 1 7563B9B3DC582D527 1949F3DB A5 A70C 1 08F56 1 A274405A5CB8 
82288273 ADE67353 A5BC3 1 6C093 
5 g 3 = 09AA6F4930E5 1 A70CCDFA77442B10770DD1CD77490E3398A 
AD9DC50249C343 1 29 1 5E559 1 7A 1 ED4D83 AA3D607E3EB5C8B 1 97 
697238537FE7A0195C5E8373EB74D 

The following is a second set of GQ2 keys, with k = 9, that is v = 5 12, m = 2, that i 
two base numbers: gi = 2 and g 2 = 3, and/= 3, giving a modulus with three prime 
10 factors congruent to 3 (mod 4). 

p x = 03852 103E40CD4F06FA7BAA9CC8D5BCE96E3984570CB 
p 2 = 062AC9EC42AA3E688DC2BC871C8315CB939089B61DD7 
p 3 = 0BCADEC219F1DFBB8AB5FE808A0FFCB53458284ED8E3 
"=PiP2-P3 = FFFF5401ECD9E537F167A80C0A91 1 1986F7A8EBA4D 

15 6698AD68FF670DE5D9D77DFF00716DC7539F7CBBCF969E73A0C49 
761B276A8E6B6977A21D5i669D039FlD7 
Q u = 0260BC7243C22450D566B5C6EF74AA29F2B927AF68E1 
02.i = 0326C12FC7991ECDC9BB8D7C1C4501BE1BAE9485300E 
Qi a = 02D0B4CC95A2DD435D0E22BFBB29C59418306F6CD00A 

20 Q 2 2 - 045ECB881387582E7C556887784D2671CA1 18E22FCF2 

0,, 3 = B0C2B1F808D24F6376E3A534EB555EF54E6AEF5982 

02,3 = 0AB9F81DF462F58A52D937E6D81F48FFA4A87A9935AB 
Q x = 27F7B9FC82C19ACAE47F3FE9560C3536A7E90F8C3C51E13C 
35F32FD8C6823DF753685DD63555D2146FCDB9B28DA367327DD6 
25 EDDA092D0CF108D0AB708405DA46 

Q 2 = 230DOB9595E5AD388F1F447A69918905EBFB05910582E5BA64 
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9C94B0B266 1 E49DF3C9B42FEF 1 F37A7909B 1 C2DD54 1 1 3 ACF87C6 
F 1 1 F 1 9874DE7DC5D 1 DF2A9252D 
Dynamic authentication 

The dynamic authentication mechanism is designed to prove, to an entity 
known as a controller, the authenticity of another entity known as a demonstrator 
as well as the authenticity of a possible associated message M, so that the controller 
can be sure that it is truly the demonstrator and, as the case may be, only the 
demonstrator and that the demonstrator is truly speaking of the same message M. 
The associated message Mis optional. This means that it may be vacant. 

The dynamic authentication mechanism is a sequence of four acts: an act of 
commitment, and act of challenge, and act of response and an act of checking. The 
demonstrator fulfills the acts of commitment and response. The controller fulfills the 
acts of challenge and control. 

Within the demonstrator, it is possible to isolate a witness so as to isolate 
the most sensitive parameters and functions of the demonstrator, namely the 
production of commitments and responses. The witness has the parameter k and the 
private key GQ2, namely the factorization of the module n according to one of the 
three depictions referred to here above: o the /prime factors and the m base 
numbers, ° the /w./private component, the /prime factors and the /-l parameters of 
the Chinese remainders, o the m private values and the modulus n. 

The witness may correspond to a partial embodiment, for example, « a chip 
card connected to a PC forming the entire demonstrator or again, ~ specially 
protected programs within a PC, or again, o specially protected programs within a 
smart card. The witness thus isolated is similar to the witness defined here below 
within the signing party. At each execution of the mechanism, the witness produces 
one or more commitments R and then as many responses D to as many challenges d. 
Each set {R, d, D} is a GQ2 triplet. 

Apart from comprising the witness, the demonstrator also has, if necessary, a 
hashing function and a message M. 
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The controller has the modulus n and the parameters k and m\ if necessary, it 
also has the same hashing function and a message M. The controller is capable of 
reconstituting a commitment R* from any challenge d and any response Z). The 
parameters k and m inform the controller. Failing any indication to the contrary, the 
m base numbers from gj to g m are the m first prime numbers. Each challenge d must 
have m elementary challenges referenced from dj to d m \ one per base number. This 
elementary challenge from dj to d m may take a value of 0 to 2 k "l-l (the values of 
v/2 to v-1 are not used). Typically, each challenge is encoded by m times k-l bits 
(and not by m times k bits). For example, k = 6 and m = 3 and the base numbers 3, 5 
and 7, each challenge has 15 bits transmitted on two bytes; with k = 9, m = 2 and the 
base numbers 2 and 3, each challenge has 16 bits transmitted on two bytes. When 
the {k-\).m possible challenges are also possible, the value (k-\)m determines the 
security provided by each GQ2 triplet: an impostor who, by definition, does not 
know the factorization of the module n has exactly one chance of success in 
2(k-J).m when (k-l).m is equal to 15 to 20, one triplet is enough to reasonably 
provide for dynamic authentication. To achieve any security level, it is possible to 
produce triplets in parallel. It is also possible to produce sequentially, namely to 
repeat the execution of the mechanism. 

1) The act of commitment comprises the following operations. 

When the witness has m private values from Qj to Q m and the modulus «, it 
draws one or more random values r (0 < r < n) at random and privately; then by k 
successive squaring (mod w) operations, it converts each random value r into a 
commitment R, 

R = r v (mod n) 
Here is an example with the first set of keys with k = 6. 
r = B8AD426C1 A10165E94B894AC2437C1B1797EF562CFA53A4AF8 
43 1 3 1 FF 1 C89CFDA 1 3 1 207 1 947 1 0EF9C0 1 0E8F09C60D98 15121981260 
9 1 9967C3E2FB4B4566088E 

R - FFDD736B666F41FB771776D9D50DB7CDF03F3D976471B25C56 
D3AF07BE692CB 1 FE4EE70FA77032BECD84 1 1 B8 1 3B4C2 1 2 1 0C6B04 
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49CC4292E5DD2BDB00828AF 1 8 

When the witness has / prime factors from p j to pj and ni.f private 
components Q t j, it draws one or more collections off random values at random and 
privately: each collection has one random value /■/ per prime factor pi (0 < r/ < p-); 
then by k successive operations of squaring (mod /?/), it converts each random value 
f j into a component of commitment Rj. 

Ri = rj v (mod/?,) 

Here is an example with the second set of keys with k = 9. 

r, = B0418EABEBADF0553A28903F74472CD49DD8C82D86 

R, = 022B365F0BEA8E157E94A9DEB0512827FFD5149880F1 
r 2 = 75A8DA8FE0E60BD55D28A218E31347732339F1D667 
R 2 = 057 E 43 A242C4S 5FC20DEEF29 1 C774CF 1 B30F0 1 63DEC2 
r 3 = OD74D2BDA5302CF8BE2F6D406249D148C6960A7D27 
R 3 = 06 E 14C8FC4DD3 12BA3B475F1F40CF01 ACE2A88D5BB3C 

For each collection of / commitment components, the witness sets up a 
commitment according to the technique of Chinese remainders. There are as many 
commitments as there are collections of random values. 

R = Chinese remainders (R j, R2, ...,Rj) 

R = 28AA7F12259BFBA81368EB49C93EEAB3F3EC6BF73B0EBD7 

D3FC8395CFA 1 AD7FC0F9DAC 1 69A4F6F 1 C46FB4C3458D 1 E3 7C9 

9 123B56446F6C928736B 1 7B4BA4A529 

In both cases, the demonstrator sends the controller all or part of each 
commitment R, or at least a hashing code H obtained by hashing each commitment R 
and one message M. 

2) The act of challenge consists in drawing at random one or more 
challenges d each consisting of m elementary challenges dj / d 2 I ... I d m ; each 
elementary challenge dj takes one of the values from 0 to v/2-1. 

d = djld 2 l ... Id m 
Here is an example for the first set of keys with k = 6 and m = 3. 
dj = 10110 = 22 = '16'; ^ = 001 11 = 7; <j = 00010 = 2 
d=0 I I dj I I d 2 II 43 = 01011000 1 1100010 = 58 E2 
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Here is an example for the second set of keys with k = 9 and m = 2. 

d= dj | | d2 = 58 E2, that is, in decimal notation 88 and 226 
The controller sends the demonstrator each challenge d. 
3) The act of response has the following operations. 

When the witness has m private values from Qj to Q m and the modulus n, it 
computes one or more responses D in using each random value r of the act of 
commitment and the private values according to the elementary challenges. 

X - Qi d, .Q2 d2 ...Qj m (^oAn) 
D = r.X (mod n) 
Here is an example for the first set of keys. 

D = FF257422ECD3C7A03706B9A7B28EE3FC3A4E974AEDCDF386 

5EEF38760B859FDB5333E904BBDD37B097A989F69085FE8EF6480 
A2C6 A290273479FEC9 1 7 1 990A 1 7 

When the witness has / prime factors from p t to pf and m.f private 
components Qjj, it computes one or more collections of /response components in 
using each collection of random values of the act of commitment: each collection of 
response components comprises one component per prime factor. 

Xi = Q l d '-Q2 d2 ...Q m dm , i (mod pi) 
Djsrj.X^modjP/) 
Here is an example for the second set of keys. 
Di = n.Q i A dl .Q 2 . l d2 (modp J ) = 

O2660ADF3C73B6DC15E196152322DDE8EB5B35775E38 
D 2 - r 2 . Q x / y .Q 2 / 1 (mod/?,) = 

04C15028E5FD1 175724376C1 1BE77052205F7C62AE3B 
£>3 = r 3 . Qx^.Q^f- (mod p 3 ) = 

0903D20D0C306C8EDA9D8FB5B3BEB55E06 1 AB39CCF52 

For each collection of response components, the witness draws up a response 

according to the Chinese remainder technique. There are as many responses as there 

are challenges. 

D = Chinese reminders (D j, D2, DJ) 
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D = 85C3B00296426E97897F73C7DC6341FB8FFE6E879AE12EF1F36 

4CBB55BC44DEC4372O8CF530F8402BD9C511F5FB3B3A309257A00 
1 95 A7305C6FF3323F72DC 1 AB 

In both cases, the demonstrator sends each response D to the controller. 
4) The checking act consists in ascertaining that each triplet {R, d t D} 
verifies an equation of the following type -for a non-zero value , 

RjQGf^D 2 ' (mod W )orelse^^ 2 ^^^ (mod n) 
or else in setting up each commitment: none should be zero . 

tf^/ftQ* (mod w) or else ^D»ip?> (modK) 

Tl necessary, the controller then computes a hashing coae H' in hashing each 
re-established commitment R' and a message M'. The dynamic authentication is 
successful when the controller thus retrieves what it had received at the end of the 
first act of commitment, namely all or part of each commitment R, or else the 
hashing code H. 

For example, a sequence of elementary operations converts the response D 
into a commitment R'. The sequence has k squares (mod «) separated by k-l 
divisions or multiplications (mod n) by base numbers. For the Mh division or 
multiplication, which is performed between the i-th square and the /+lst square, the 
i-th bit of the elementary challenge d t indicates that it is necessary to use g u the/-th 
bit of the elementary challenge d 2 indicates whether it is necessary to use g 2 , ... up to 
the i-th bit of the elementary challenge d m which indicates that it is necessary to use 
Sm- 

Here is an example for the first set of keys. 

D 7 (mod/i) = FD12E8E1FI370AEC9C7BA2E05C80AD2B692D341D46F3 
2B939487 15491 F0EB09 IB7606CA 1E744E0688367D7BB998F7B73D5F7 
FDA95D5BD6347DC8B978CA2 1 7733 

3 . D 7 (mod n) = F739B70891 1 166DFE715800D8A9D78FC3F332FF622D 

3EAB8E7977C68AD44962BEE4DAE3C0345D1CB34526D3B67EBE8BF 
98704IB4852890D83FC6B48D3EF6A9DF 
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3 2 . D 4 (mod n) = 682A7AF280C49FE230BEE354BF6FFB30B7519E3C8 
92DD07E5 A78 1 225BBD33920E5 ADABBCD7284966D7 1 1 4 1 EAA 1 7AF 
8826635790743EA7D9A15A33ACC7491D4A7 

3* . £>' (mod 7i) = BE9D828989A2C 1 84E34B A8FEOF3 848 11 642B7B548F 

870699E7869F8ED851FC3DB3830B2400C516511AOC28AFDD210EC3 
939E69D4 1 3F0B ABC6DEC44 1974B I A29 1 

3 s . 5 . D l (mod n) = 2B40 122E225CD858B26D27B768632923F2BBE5 

DB 1 5CA9EFA77EFA667E554 A02 AD I A I E4F6B59BD9E 1 AE4A53 7D 

4AC1E89C2235C363830EBF4DB42CEA3DA98CFE00 

3'° . S 2 . £> 16 (mod n) = BDD3B34C90ABBC870C604E27E7F2E9DB2D383 

68EA46C931C66F6C7509B118E3C162811A98169C30D4DEF768397DD 
B8F6526B67142J8DEB627E1 1 FACA4B9DB268 

3" . 5 J . 7 . D' 6 (mod n) = DBFA7F40D338DE4FBA73D42DBF427BBF195 
C13D02ABOFA5F8C8DDB5025E342823 1 1CEF80BACDCE5D0C433444 
A2AF2B 1 53 1 8C36FE2AE02F3C8CB2563 7C9AD7 12F 
3* . 5' . T . If 7 (mod n) = C60CA9C4A1 1F8AA89D9242CE717E3DC6C1 

A95D5D09A2278F8FEE1DFD94EE84DO9DOO0EA8633B53C4A0E7FOA 

EECB70509667 A3CB052029C94EDF276 1 1 FAE286A7 

3 a . 5 7 . 7 J . If 1 (mod n) = DE40CB6B4 1 CO 1 E722E4F3 1 2 AE7205F 1 8CDD 

0303EA52261CB0EA9F0C7E0CD5EC53D42E5CB645B6BB1A3B00C77 
886F4AC5222F9C863DACA440CF5F1A8E374807AC 
3" . 5" . T . D M (mod n), namely 3 2C . 5 E . T . D*° with the exponents 
hexadecimal notation = FFDD73 6B666F4 1 FB77 1 776D9D50DB7CDF03F3 D9 

76471B25C56D3AF07BE692CB1FE4EE70FA77032BECD8411B813B4C 

212 10C6B0449CC4292E5DD2BDB00828AF1 8 

We find the commitment R . The authentication is successful. 

Here is an example for the second set of keys. 

D 2 (mod n) = C66E585D8F132F7O67617BC6D00BA699ABD74FB9D13E 

24E6A6692CCSD2FC7B57352D66D34F5273C13F20E3FAA228D70AEC 
693F8395ACEF9206B172A8A2C2CCBB 



40 



3 . D 2 (mod n) = 534C61 14D385C3E15355233C5BO0D09C2490D1B8D8E 
D3D592 1 3 CB83 EAD4 1 C309A 1 875 1 9E5F50 1 C4A45C3 7EB2FF3 8FBF20 
1 D6D 1 38F3999FC 1 D06A2B2647D48283 

3 2 . D* (mod n) = A9DC8DEA867697E76B4C18527DFFC49F4658473D03 
4EC 1 DDE0EB2 1 F6F65978BE477C423 1 AC9B 1EBD93D5D49422408E47 
1 59 1 9023 B 1 6BC3C6C46 A92BB D3 26 AADF 

2 . 3 3 . D* (mod n) = FB2D5 779603 9DFC4AF9199CAD44B66F257 A IFF 

3F2BA4C12B0A8496A0148B4DFBAFE838E0B5A7D9FB4394379D72A 

107E45C51FCDB7462D03A35002D29823A2BB5 

2 : . 3 4 . D l (mod n) = 4C2 10F96FF6C7754 1 9 1 0623B 1 E49533206DFB9E9 1 
6521F305F12C5DB054D4E1BF3A37FA293854DF02B49283B6DE5E5D 
82ACB23D AF I A0D5 A72 1 A 1 890D03 AO0BD8 

2 2 . 3 7 . £>' (mod n) = E4632EC4FE4565FC4B3 126B 15ADBF996149F2D 
BB42F65D9 1 1 D3 85 1 9 1 0FE7EA53 DAEA7EE7B A8FE9D08 1 DB78B249 
B i B 1 88806 1 6B90D4E280F564E49B270AE02388 

2 4 . 3" . D" (mod n) = ED3 DDC7 1 6 AE3 D 1 E A74C5 AF93 5DE8 1 4BCC 
2C78B 1 2 A6BB29FA542F998 1 C5D954F53 D 1 53B9F0 1 98B A82690EF 
665C 1 7C399607DEA54E2 1 8C2C0 1 A890D422EDA1 6FA3 

2 5 . 3" . D" (mod n) = DA7C64E0E8EDBE9CF823B71AB13F17E1 161487 
6BO00FBB473F5FCBF5A5D8D26C7B2A05D03BDDD588 1 64E562D0F5 
7AE94AE0AD3F35C6 1 C0892F4C9 1 DC0B08ED6F 

2'° . 3 18 . D n (mod n) = 6ED6AFC5A87D2DDI I7B0D89072C99FB9DC9 

5D558F65B6A1967E6207D4ADBBA32001D3828A35069B256A07C3D 

722F1 7DA30088E6E739FBC4 1 9FD7282D1 6CB6542 

2" . 3 M . £>" (mod n) = DDAD5F8B50FA5BA22F61B120E5933F73B92 

BAAB1ECB6D432CFCC40FA95B77464003A705146AOD364AD40F8 

7AE45E2FB4601 1 1CDCE73F78833FAE505A2D9ACA84 

2" . 3" . D" (mod n) = A466DOCB17614EFD961000BD9EABF4F021 

36F8307 1 0 1 882BC 1 764DBAACB7 15EFBF5D8309 AE00 1 EB5DEDA 

8F000E44B3D4578E5CA55797FD4BD1F8E919BE787BD0 

2" . 3 " J . D m (mod n) = 925BOEDF5047EFEC5AFABDC03A8309 19761 
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B8FBDD2BF934E2A8A3IE29B976274D5I3007EF1269E4638B4F65F 

8FDEC740778BDC 1 78 AD7AF2968689B930D5 A2359 

2" . ? ,:) D' n (mod n) = B71 1D89C03FDEA8DIF889134A4F809B3F2D 

8207F2AD8213D169F2E99ECEC4FEO80389O0F0C203B55EE4F4C8O3 

BFB912A04F11D9DB9D076021764BC4F57D47834 

2" . 3 ut . D 2 " (mod n) = 4 1A83F1 1 9FFE4A2F4AC7E5597A5D0BEB4D4C 

08D19E597FD034FE720235894363A19D6BC5AF323D24B1B7FCFD8D 
FCC62S02 1 B4648D7EF757A3 E46 1 EFOCFFOEA 1 3 

2" 6 . 3 4 " . D il2 (mod n) that i S 4" . 9 m . D 5,J (mod «) = 28AA7F12259BFBA8 
1368EB49C93EEAB3F3EC6BF73B0EBD7D3FC8395CFA1AD7FC0F9D 

AC169A4F6F1C46FB4C3458D1E37C99123B56446F6C928736B17B4BA 
4A529 

We find the commitment R. The authentication is successful. 
Digital signature 

The digital signing mechanism enables an entity called a signing party to 
produce signed messages and an entity called a controller to ascertain signed 
messages. The message M is any binary sequence: it may be vacant. The message 
M is signed by adding a signature appendix to it. This signature appendix comprises 
one or more commitments and/or challenges as well as the corresponding responses. 

The controller has the same hashing function, the parameters k and m and the 
module n. The parameters k and m provide information to the controller. Firstly, 
each elementary challenge from dj to d m must take a value from 0 to 2k_j-l (the 
values of v/2 to v-1 are not used). Secondly, each challenge d must comprise m 
elementary challenges referenced from dj to d m , namely as many of them as base 
numbers. Furthermore, failing indications to the contrary, the m base numbers from 
81 to 8m ar e the m first prime numbers. With (k-l).m equal to 15 to 20, it is possible 
to sign with four triplets GQ2 produced in parallel; with (k-l)jn equal to 60 or more, 
it is possible to sign with a single triplet GQ2. For example, with k = 9 and m = 8, a 
single triplet GQ2 is enough; each challenge has eight bytes and the base numbers 
are 2, 3, 5,7, 11, 13, 17 and 19. 
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The signing operation is a sequence of three acts: an act of commitment, an 
act of challenge and an act of response. Each act produces one or more GQ2 triplets 
each comprising: a commitment R (* 0), a challenge d consisting of m elementary 
challenges referenced dj, d2, .... d m and a response D (* 0). 

The signing party has a hashing function, the parameter k and the GQ2 
private key, namely the factorization of the modulus n according to one of the three 
depictions referred to here above. Within the signing party, it is possible to isolate 
a witness that performs the the acts of commitment and response, so as to isolate 
the functions and parameters most sensitive to the demonstrator. To compute 
commitments and responses, the witness has the parameter k and the GQ2 private 
key, namely the factorization of the modulus n according to one of the three 
depictions referred to here above. The witness thus isolated is similar to the witness 
defined within the demonstrator. It may correspond to a particular embodiment, for 
example, ~ a chip card connected to a PC forming the entire signing party, or again, « 
programs particularly protected within a PC, or again, ~ programs particularly 
protected within a chip card. 

1) The act of commitment comprises the following operations: 
When the witness has m private values from Qj to Q m and the modulus «, it 
randomly and privately draws one or more random values r (0 < r < «); then, by k 
successful squaring (mod n) operations, it converts each random value r into a 
commitment R. 

Ri = r v (mod n) 

When the witness has / prime factors from p j to P f and m.f private 
components Q;j, it privately and randomly draws one or more collections of/random 
values: each collection has one random value r; per prime factor Pi (0 < r/ < Pi ); 
then, by k successive squaring (mod/?/) operations, it converts each random value r/ 
into a component of commitment Rj. 

R\ s n v (mod pi) 
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For each collection of f commitment components, the witness sets up a 
commitment according to the Chinese remainder technique. There are as many 
commitments as there are collections of random values. 

R = Chinese remainders (R y, /?2, RJ) 

2) The act of challenge consists in hashing all the commitments R and the 
message to be signed M to obtain a hashing code from which the signing party forms 
one or more challenges each comprising m elementary challenges; each elementary 
challenge takes a value from 0 to v/2-1; for example with k = 9 and m = 8. Each 
challenge has eight bytes. There are as many challenges as there are commitments. 

d = dj I d2 / ... / d nv extracted from the result Hash(M, R) 

3) The act of response comprises the following operations. 

When the witness has m private values from Qj to Q m and the modulus «, it 
computes one or more responses D using each random value r of the act of 
commitment and the private values according to the elementary challenges. 

X-/ s 0A0 2 ^ ..0/" (mod n) 
D/sr./X./ (mod n) 
When the witness bas / prime factors from p j to /?yand m.f private 
components Qy 9 it computes one or more collections of /response components in 
using each collection of random values of the act of commitment : each collection of 
response components comprises one component per prime factor. 

Xi s Q x d \ h QS** mmmQm *, ( m od Pi ) 
Di = ri.Xi (mod /?,) 

For each collection of response components, the witness sets up a response 
according to the Chinese remainders technique. There are as many responses as 
there are challenges. 

D = Chinese remainders (D j, D2, DJ) 
The signing party signs the message M in adding to it a signature appendix 
comprising: 

- either each GQ2 triplet, namely each commitment /?, each challenge d and 
each response D, 
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- or else each commitment R and each corresponding response Z), 

- or else each challenge d and each corresponding response D. 

The running of the verification operation depends on the contents of the 
signature appendix. There are three possible cases. 

Should the appendix comprise one or more triplets, the checking operation 
has two independent processes for which the chronology is not important. The 
controller accepts the signed message if and only if the two following conditions are 
fulfilled. 

Firstly, each triplet must be consistent (an appropriate relationship for the 
following type has to be verified) and acceptable (the comparison has to be done on a 
non-zero value V 

XjjGf>=Dr (mod n) or else ^11^ (modi.) 

For example, the response D is converted by a~~sequence of elementary 
operations: k squared (mod ri) separated by k-\ multiplication or division operations 
(mod n) by base numbers. For the /-th multiplication or division which is performed 
between the i-th square and the i+lst square, the /-th bit of the elementary challenge 
dj indicates whether it is necessary to use gj 9 the i-th bit of the elementary challenge 
d2 indicates whether it is necessary to use g2, ... up to the /-th bit of the elementary 
challenge d m which indicates if it is necessary to use g m . It is thus necessary to 
retrieve each commitment R present in the signature appendix. 

Furthermore, the triplet or triplets must be linked to the message M. By 
hashing all the commitments R and the message M 9 a hashing code is obtained from 
which each challenge d must be recovered. 

d = d] I d2l — ld m , identical to those extracted from the result Hash(M, R) 

Should the appendix have no challenge, the checking operation starts with a 
reconstruction of one or more challenges d by hashing all the commitments R and 
the message M 

d' my extracted from the result Hash(M, R) 
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Then, the controller accepts the signed message if and only if each triplet is 
consistent (an appropriate relationship of the following type is verified) and 
acceptable (the comparison is done on a non-zero value). 

xflGf'=D* (mod«)orelse^^ 2 ^n^' (mod n) 

i=l i=4 

5 Should the appendix comprise no commitment, the checking operation 

starts by reconstructing one or more commitments R % according to one of the 
following two formulae, namely the one that is appropriate. No re-established 
commitment should be zero. 

*«D*'flG? (mod r>) or else * '*D*f[Gfi (mod «) 
10 Theri, the controller must hash all the commitments and the message Mso 

as to reconstitute each challenge d. 

d = dj I d2 1 ... / d m , identical to those extracted from the result Hash(yW, R) 
The controller accepts the signed message if and only if each reconstituted 
challenge is identical to the corresponding challenge in the appendix. 
15 In the present application, it has been shown that there are pairs of private 

values and public values Q and G respectively used to implement the method, system 
and device according to the invention, designed to prove the authenticity of an entity 
and/or integrity and/or authenticity of a message. 

In the pending application filed on the same day as the present application by 
20 France Telecom, TDF and the firm Math RiZK, whose inventors are Louis Guillou 
and Jean- Jacques Quisquater, a method has been described for the production of sets 
of GQ2 keys namely moduli n and pairs of public and private values G and Q 
respectively when the exponent v is equal to 2 k . This patent application is 
incorporated herein by reference. 

25 
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CLAIMS 

1. Method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the following parameters or derivatives of these 
parameters: 

- m pairs of private values Q„ Q 2 , ... Q m and public values G u G 2 , ... G m 
(m being greater than or equal to 1), 

- a public modulus n constituted by the product of f prime factors p l5 p 2 , ... p f 
(f being greater than or equal to 2), 

- a public exponent v; 

said modulus, said exponent and said values being related by relations of the 
following type 

G; . = 1 . mod n or G { = Qj v mod n; 
said exponent v being such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value Gj being the square g 2 of a base number & smaller than the f 
prime factors p l9 p 2 , ... p f , the base number g { being such that: 
the two equations: 

x 2 s gi mod n and x 2 = - g; modi n 
cannot be resolved in x in the ring of integers modulo n 
and such that: 

the equation: 

x v s g; 2 mod n 
can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f 
prime factors pi and/or parameters of the Chinese remainders of the prime factors 
and/or the public modulus n and/or the m private values Qj and/or the ff.m 
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components Q, f j (Q u s Q { mod pj) of the private values Qjand of the public 
exponent v; 

- the witness computes commitments R in the ring of integers modulo n; each 
commitment being computed: 

9 either by performing operations of the type: 

R s r v mod n 
where r is a random value such that 0 < r < n, 
° or 

° ° by performing operations of the type: 
Ri = rj v mod pj 

where rj is a random value associated with the prime number p k such that 0 < r { < p is 
each Tj belonging to a collection of random values {r, , r 2 , r f }, 

* ° then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising 
m integers dj hereinafter called elementary challenges; the witness, on the basis of 
each challenge d, computes a response D, 

• either by performing operations of the type: 

D s r . Q t dl . Q 2 *\ ... Q m dm mod n 

° or 

° ° by performing operations of the type: 

Di = n . Q M dl . Q i>2 d2 . ... Q iim dm mod Pi 

* ° and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d 
as there are commitments R, each group of numbers R, d, D forming a triplet 
referenced {R, d, D}. 

2. Method according to claim 1, designed to prove the authenticity of an 
entity 'known as a demonstrator to an entity known as the controller, said 
demonstrator entity comprising the witness; 

said demonstrator and controller entities executing the following steps: 

* Step 1: act of commitment R 
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- at each call, the witness computes each commitment R by applying the 
process specified according to claim 1, 

- the demonstrator sending the controller all or part of each commitment R, 
» Step 2: act of challenge d 

- the controller, after having received all or part of each commitment R, 
produces challenges d whose number is equal to the number of commitments R and 
sends the challenges d to the demonstrator, 

° Step 3: act of response D 

- the witness computes the responses D from the challenges d by applying the 
process specified in claim 1, 

° Step 4: act of checking 

- the demonstrator sends each response D to the controller, 
case where the demonstrator has transmitted a part of each commitment R 
if the demonstrator has transmitted a part of each commitment R, the controller, 
having the m public values G t , G 2 , G^, computes a reconstructed commitment 
R', from each challenge d and each response D, this reconstructed commitment R' 
satisfying a relationship of the type 

R' = dl . G 2 d2 . ... G m dm . D v mod n 
or a relationship of the type 

R* = DV/Gi <» . G 2 d2 . ... G m dm . mod n 
the controller ascertains that each reconstructed commitment R' reproduces all or 
part of each commitment R that has been transmitted to it. 

Case where the demonstrator has transmitted the totality of each commitment 
R 

25 if the demonstrator has transmitted the totality of each commitment R, the controller, 
having the m public values G t , G 2 , G m , ascertains that each commitment R 
satisfies a relationship of the type 

R = Gi dl . G 2 d2 . ... Gm dm . D v mod n 
or a relationship of the type 

R = DV/Gi dl . G 2 d2 . ... Gm dm . mod n 



20 
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3. Method according to claim 1, designed to provide proof to an entity, 
known as the controller entity, of the integrity of a message M associated with an 
entity called a demonstrator entity, said demonstrator entity comprising the witness; 
said demonstrator and controller entities executing the following steps: 

° Step 1: act of commitment R 

- at each call, the witness computes each commitment R by applying the process 
specified according to claim 1, 

° Step 2: act of challenge d 

- the demonstrator applies a hashing function h whose arguments are the message M 
and all or part of each commitment R to compute at least one token T, 

- the demonstrator sends the token T to the controller, 

- the controller, after having received a token T, produces challenges d equal in 
number to the number of commitments R and sends the challenges d to the 
demonstrator, 

° Step 3: act of response D 

- the witness computes the responses D from the challenges d by applying the 
process specified according to claim 1, 

° Step 4: act of checking 

- the demonstrator sends each response D to the controller, 

- the controller, having the m public values Gj, G 2 , G m , computes a 
reconstructed commitment R\ from each challenge d and each response D, this 
reconstructed commitment R* satisfying a relationship of the type 

r» = Gl dl . G 2 d2 . ... G m dm # B v mod n 
or a relationship of the type 

R' ee D v /Gi dl • G 2 d2 . ... G m dm . mod n 

- then the controller applies the hashing function h whose arguments are the message 
M and all or part of each reconstructed commitment R' to reconstruct the token T\ 

- then the controller ascertains that the token T' is identical to the token T 
transmitted. 
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4. Method according to claim 1, designed to produce the digital signature of 
a message M by an entity known as the signing entity, said signing entity comprising 
the witness; 
Signing operation 

said signing entity executes a signing operation in order to obtain a signed message 
comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D; 

said signing entity executes the signing operation by implementing the following 
steps: 

° Step 1: act of commitment R 

- at each call, the witness computes each commitment R by applying the process 
specified according to claim 1, 

° Step 2: act of challenge d 

- the signing party applies a hashing function h whose arguments are the message M 
and each commitment R to obtain a binary train, 

- from this binary train, the signing party extracts challenges d whose number is 
equal to the number of commitments R, 

° Step 3: act of response D 

- the witness computes the responses D from the challenges d by applying the 
process specified according to claim 1. 

5. Method according to claim 4, designed to prove the authenticity of the 
message M by checking the signed message through an entity called a controller; 
Checking operation 

- said controller entity having the signed message executes a checking operation by 
proceeding as follows: 

• case where the controller has commitments R, challenges d, responses D 
if the controller has commitments R, challenges d, responses D, 
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° ° the controller ascertains that the commitments R, the challenges d and the 
responses D satisfy relationships of the type 

R = Gj dl . g 2 d2 . ... G m dm . D v mod „ 
or relationships of the type: 

R = DVGi dl • G 2 d2 . ... G m dm # mod n 

• ° the controller ascertains that the message M, the challenges d and the 
commitments R satisfy the hashing function: 

d = h (message, R) 
° case where the controller has challenges d and responses D 
if the controller has challenges d and responses B, 

• o the controller reconstructs, on the basis of each challenge d and each 
response B, commitments R' satisfying relationships of the type 

R' sGi«. G 2 d2 . ... G m dm . D v mod n 
or relationships of the type: 

R' = DV/Gi dl . G 2 d2 . .„ Gm dm m mod n 

• ° the controller ascertains that the message M and the challenges d satisfy 
the hashing function: 

d = h (message, R') 
° case where the controller has commitments R and responses D 
if the controller has commitments R and responses O, 

o « the controller applies the hashing function and reconstructs d 5 
d f = h (message, R) 

° • the controller device ascertains that the commitments R, the challenges d' 
and the responses D satisfy relationships of the type 

R = Gj d'l . G2 d'2 # _ Gm d'm . D v mod n 
or relationships of the type: 

R ^ BVG t dn • G 2 d'2 . _ Gffn d'm . mod n 

6. A system designed to prove, to a controller server, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 
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by means of all or part of the following parameters or derivatives of these 
parameters: 

- m pairs of private values Q„ Q 2 , ... Q m and public values G„ G 2 , ... G m 
(m being greater than or equal to 1), 

5 - a public modulus n constituted by the product of said f prime factors p,, p 2 , 

... p f (f being greater than or equal to 2), 

- a public exponent v. 

said modulus, said exponent and said values being linked by relations of the 

type 

10 Gj . Qj v s 1 . mod n or Gj = Q ; v mod n . 

said exponent v is such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value G; being the square g; 2 of the base number g { smaller than the 
15 f prime factors p u p 2 , ... p f , the base number g; being such that: 
the two equations: 

x 2 = g; mod n and x 2 = - gj mod n 
cannot be resolved in x in the ring of integers modulo n 
and such that: 
20 the equation: 

x v = g 2 mod n 
can be resolved in x in the ring of the integers modulo n; 

said system comprises a witness device, contained especially in a nomad object 
which, for example, takes the form of a microprocessor-based bank card, 

25 the witness device comprises 

- a memory zone containing the f prime factors p ; and/or the parameters of the 
Chinese remainders of the prime factors and/or the public modulus n and/or the m 
private values Q s and/or f.m components Q Ui (Q lf j = Q s mod pj) of the private values 
Qjand of the public exponent v ; 

30 said witness device also comprises: 
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- random value production means, hereinafter called random value production 
means of the witness device, 

- computation means, hereinafter called means for the computation of 
commitments R of the witness device, to compute commitments R in the ring of 
integers modulo n; each commitment being computed: 

o either by performing operations of the type: 

R s r v mod n 

where r is a random value produced by the random value production means, r being 
such that 0 < r< n, 

° or by performing operations of the type: 

Rj s fi V mod pi 

where r s is a random value associated with the prime number pj such that 0 < r, < p;, 
each r, belonging to a collection of random values {r, , r 2 , ... r f }, then by applying 
the Chinese remainder method; 
said witness device also comprises: 

- reception means hereinafter called the means for the reception of the 
challenges d of the witness device, to receive one or more challenges d; each 
challenge d comprising m integers d t hereinafter called elementary challenges; 

- computation means, hereinafter called means for the computation of the 
responses D of the witness device for the computation, on the basis of each challenge 
d, of a response D, 

° either by performing operations of the type: 

Dsr.Q, dl .Q 2 d2 ....Q m am modn 
° or by performing operations of the type: 

D, * r, . Q M dl . Q U2 "\ ... Q i m dm mod Pi 
and then by applying the Chinese remainder method. 

- transmission means to transmit one or more commitments R and one or 
more responses D; 

there are as many responses D as there are challenges d as there are commitments R, 
each group of numbers R, d, D forming a triplet referenced {R, d, D}. 
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7. A system according to claim 6, designed to prove the authenticity of an 
entity called a demonstrator and an entity called a controller, 
said system being such that it comprises: 

- a demonstrator device associated with the demonstrator entity, said 
demonstrator device being interconnected with the witness device by interconnection 
means and possibly taking the form especially of logic microcircuits in a nomad 
object, for example the form of a microprocessor in a microprocessor-based bank 
card, 

- a controller device associated with the controller entity, said controller 
device especially taking the form of a terminal or remote server, said controller 
device comprising connection means for its electrical, electromagnetic, optical or 
acoustic connection, especially through a data-processing communications network, 
to the demonstrator device; 

said system enabling the execution of the following steps: 

° Step 1: act of commitment R 
at each call, the means of computation of the commitments R of the witness device 
compute each commitment R by applying the process specified according to claim 1, 
the witness device has means of transmission, hereinafter called the transmission 
means of the witness device, to transmit all or part of each commitment R to the 
demonstrator device through the interconnection means, 

the demonstrator device also has transmission means, hereinafter called the 
transmission means of the demonstrator, to transmit all or part of each commitment 
R to the controller device through the connection means; 

° Step 2: act of challenge d 
the controller device comprises challenge production means for the production, after 
receiving all or part of each commitment R, of the challenges d equal in number to 
the number of commitments R, 

the controller device also has transmission means, hereinafter known as the 
transmission means of the controller, to transmit the challenges d to the demonstrator 
through the connection means ; 
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° Step 3: act of response D 
the means of reception of the challenges d of the witness device receive each 
challenge d coming from the demonstrator device through the interconnection 
means, 

the means of computation of the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified according to 
claim 1, 

° Step 4: act of checking 

the transmission means of the demonstrator transmit each response D to the 
controller, 

the controller device also comprises: 

- computation means, hereinafter called the computation means of the 
controller device, 

- comparison means, hereinafter called the comparison means of the 
controller device, 

case where the demonstrator has transmitted a part of each commitment R. 
if the transmission means of the demonstrator have transmitted a part of each 
commitment R, the computation means of the controller device, having m public 
values Gj, G 2 , G m , compute a reconstructed commitment R\ from each 
challenge d and each response D, this reconstructed commitment R' satisfying a 
relationship of the type 

R' = G t dl . Gi d2 . ... G m dm . D v mod n 
or a relationship of the type 

R' = BVGi dl - G 2 d2 . ... G m dm . mod n 

the comparison means of the controller device compare each reconstructed 

commitment R' with all or part of each commitment R received, 

case where the demonstrator has transmitted the totality of each commitment 
R 

if the transmission means of the demonstrator have transmitted the totality of each 
commitment R, the computation means and the comparison means of the controller 
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device, having m public values Gj, G 2 , G m , ascertain that each commitment R 
satisfies a relationship of the type 

R = Gi dl . G 2 d2 . ... G m dm . D v mod n 
or a relationship of the type 

RsDV/G^l.GfcdZ.... G m dm . mod n 
8. System according to claim 6, designed to give proof to an entity, known as 
a controller, of the integrity of a message M associated with an entity known as a 
demonstrator, 

said system being such that it comprises 

- a demonstrator device associated with the demonstrator entity, said 
demonstrator device being interconnected with the witness device by interconnection 
means and possibly taking the form especially of logic microcircuits in a nomad 
object, for example the form of a microprocessor in a microprocessor-based bank 



card. 



- a controller device associated with the controller entity, said controller 
device especially taking the form of a terminal or remote server, said controller 
device comprising connection means for its electrical, electromagnetic, optical or 
acoustic connection, especially through a data-processing communications network, 
to the demonstrator device; 

said system enabling the execution of the following steps: 

° Step 1: act of commitment R 
at each call, the means of computation of the commitments R of the witness device 
compute each commitment R by applying the process specified in claim 1 
the witness device has transmission means, hereinafter called transmission means of 
the witness device, to transrr.il all or part of each commitment R to the demonstrator 
device through the interconnection means, 

o Step 2: act of challenge d 
the demonstrator device comprises computation means, hereinafter called the 
computation means of the demonstrator, applying a hashing function h whose 
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arguments are the message M and all or part of each commitment R to compute at 
least one token T, 

the demonstrator device also has transmission means, hereinafter known as the 
transmission means of the demonstrator device, to transmit each token T through the 
connection means to the controller device, 

the controller device also has challenge production means for the production, after 
having received the token T, of the challenges d in a number equal to the number of 
commitments R, 

the controller device also has transmission means, hereinafter called the transmission 
means of the controller, to transmit the challenges d to the demonstrator through the 
connection means; 

° Step 3: act of response D 
the means of reception of the challenges d of the witness device receive each 
challenge d coming from the demonstrator device through the interconnection 
means, 

the means of computation of the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified according to 
claim 1, 

° Step 4: act of checking 
the transmission means of the demonstrator transmit each response D to the 
controller, 

the controller device also comprises computation means, hereinafter called the 
computation means of the controller device, having m public values Gj, Gj, G m , 
to firstly compute a reconstructed commitment R\ from each challenge d and each 
response D, this reconstructed commitment R 1 satisfying a relationship of the type 

R' = Gi dl . G 2 d2 . ... G m dm . D v mod n 
or a relationship of the type 

R' s D v /Gi dl . G 2 d2 . ... G m dm . mod n 
then, secondly, compute a token T' by applying the hashing function h having as 
arguments the message M and all or part of each reconstructed commitment R\ 
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the controller device also has comparison means, hereinafter known as the 
comparison means of the controller device, to compare the computed token TH with 
the received token T. 

9. System according to claim 6, designed to produce the digital signature of a 
5 message M, hereinafter known as the signed message, by an entity called a signing 
entity; 

the signed message comprising: 

- the message M, 

- the challenges d anchor the commitments R, 
10 - the responses D; 

Signing operation 

said system being such that it comprises a signing device associated with the signing 
entity, said signing device being interconnected with the witness device by 
interconnection means and possibly taking the form especially of logic microcircuits 
15 in a nomad object, for example the form of a microprocessor in a microprocessor- 
based bank card, 

said system enabling the execution of the following steps: 

° Step 1: act of commitment R 
at each call, the means of computation of the commitments R of the witness device 

20 compute each commitment R by applying the process specified according to claim 1, 
the witness device has means of transmission, hereinafter called the transmission 
means of the witness device, to transmit all or part of each commitment R to the 
demonstrator device through the interconnection means, 
° Step 2: act of challenge d 

25 the signing device comprises computation means, hereinafter called the computation 
means of the signing device, applying a hashing function h whose arguments are the 
message M and all or part of each commitment R to compute a binary train and 
extract, from this binary train, challenges d whose number is equal to the number of 
commitments R, 

30 o Step 3: act of response D 
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the means for the reception of the challenges d of the witness device receive each 
challenge d coming from the signing device through the interconnection means, 
the means for computing the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified according to 
claim 1, 

the witness device comprises transmission means, hereinafter called means of 
transmission of the witness device, to transmit the responses O to the signing device 
through the interconnection means. 

10. System according to claim 9, designed to prove the authenticity of the 
message M by checking the signed message by means of an entity called the 
controller; 

Checking operation 

the system being such that it comprises a controller device associated with the 
controller entity, said controller device especially taking the form of a terminal or 
remote server, said controller device comprising connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to the signing device; 

the signing device associated with the signing entity comprises transmission means, 
hereinafter known as the transmission means of the signing device, for the 
transmission, to the controller device, of the signed message through the connection 
means, in such a way that the controller device has a signed message comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D; 

the controller device comprises: 

- computation means hereinafter called the computation means of the 
controller device, 

- comparison meana, hereinafter called the comparison means of the 
controller device, 

• case where the controller device has commitments R, challenges d, responses D 
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if the controller has commitments R, challenges d, responses D, 

° ° the computation and comparison means of the controller device ascertain 
that the commitments R, the challenges d and the responses D satisfy relationships of 
the type 

5 R se Gi dl . G 2 d2 . ... G m dm . DV mod n 

or relationships of the type: 

R = Dv/Gi dl . G 2 d2 . .« G m dm . mod n 

° ° the computation and comparison means of the controller device ascertain 
that the message M, the challenges d and the commitments R satisfy the hashing 
10 function: 

d = h (message, R) 
° case where the controller device has challenges d and responses D 
if the controller device has challenges d and responses D, 

° ° the computation means of the controller, on the basis of each challenge d 
15 and each response B, compute commitments R 9 satisfying relationships of the type 
R> = Gi dl . G 2 d2 . ... G m dm . DV mod n 
or relationships of the type: 

R> = D v /G! dl . G 2 d2 . ... G m dm . mod n 

° ° the computation and comparison means of the controller device ascertain 
20 that the message M and the challenges d satisfy the hashing function: 

d = h (message, R 5 ) 
° case where the controller device has commitments R and responses D 
if the controller device has commitments R and responses B, 

o • the computation means of the controller device apply the hashing function 
25 and compute d 5 such that 

d f = h (message, R) 
° ° the computation and comparison means of the controller device ascertain 
that the commitments R, the challenges d' and the responses D satisfy relationships 
of the type 

30 RsGj d '! . G 2 d ' 2 . ... G m d ' m . DV mod n 
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or relationships of the type: 

R s D v /Gi <* f l . G 2 d ' 2 . ... G m d?m . mod n 

1 1. A terminal device associated with an entity, taking the form especially of 
a nomad object, for example the form of a microprocessor in a microprocessor-based 
bank card, designed to prove to a controller server: 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity; 

by means of all or part of the following parameters or derivatives of these 
parameters: 

- an pairs of private values Q u Q 2 , ... Q m and public values Gi, G2, ... G m 
(m being greater than or equal to 1), 

- a public modulus n constituted by the product of said f prime factors pi, p 2 , 
p f (f being greater than or equal to 2), 

- a public exponent v. 

said modulus, said exponent and said values being related by relations of the type 

Gi . Qj v = 1 . mod n or Gi = Q ( v mod n . 
said exponent v being such that 

v = 2 k 

where k is a security parameter greater than 1 . 

said public value G s being the square g 2 of the base number g; smaller than the f 
prime factors p l9 p 2 , ... pr, the base number gi being such that: 

the two equations: 

x 2 s gj mod n and x 2 = - g t mod n 
cannot be resolved in x in the ring of integers modulo n 
and such that 

the equation: 

x v = g 2 mod n 
can be resolved in x in the ring of the integers modulo n. 
said terminal device comprises a witness device comprising, 
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- a memory zone containing the f prime factors p s and/or the parameters of the 
Chinese remainders of the prime factors and/or the public modulus in and/or the m 
private values Q 8 and/or f.m components Q it j (Q^ i s Q; mod pj) of the private values 
Qi and of the public exponent v. 

5 said witness device also comprises: 

- random value production means, hereinafter called random value production 
means of the witness device, 

- computation means, hereinafter called means for the computation of 
commitments R of the witness device, to compute commitments R in the ring of the 

10 integers modulo n; each commitment being computed: 
° either by performing operations of the type: 

R = r v mod n 

where r is a random value produced by the random value production means, r being 
such that 0 < r< n, 
15 o or by performing operations of the type: 

Ri = mod p t 

where r t is a random value associated with the prime number p; such that 0 < r; < p i9 
each Tj belonging to a collection of random values {ri , r 2 , ... r f } produced by the 
random value production means, then by applying the Chinese remainder method; 
20 the witness device also comprises: 

- reception means hereinafter called the means for the reception of the 
challenges d of the witness device, to receive one or more challenges d; each 
challenge d comprising m integers dj hereinafter called elementary challenges; 

- computation means, hereinafter called means for the computation of the 
25 responses D of the witness device, for the computation, on the basis of each 

challenge d, of a response D, 

° either by performing operations of the type: 

D = r . Q, dl . Q 2 d2 . ... Q m dm mod n 
° or by performing operations of the type: 
30 D| = r, . Q ifI dl • Q u d2 . ... Q i , m dm mod Pi 
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and then by applying the Chinese remainder method, 

- transmission means to transmit one or more commitments R and one or 
more responses D ; 

there are as many responses D as there are challenges d as there are commitments R, 
5 each group of numbers R, d, D forming a triplet referenced {R, d, D}. 

12. A terminal device according to claim 11, designed to prove the 
authenticity of an entity called a demonstrator to an entity called a controller, 
said terminal device being such that it comprises a demonstrator device associated 
with the demonstrator entity, said demonstrator device being interconnected with the 
10 witness device by interconnection means and being capable especially of taking the 
form of logic microcircuits in a nomad object, for example the form of a 
microprocessor in a microprocessor-based bank card, 

said demonstrator device also comprising connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
15 communications network, to the controller device associated with the controller 
entity, said controller device especially taking the form of a terminal or remote 
server; 

said terminal device enabling the execution of the following steps: 
° Step 1: act of commitment R 
20 at each call, the means of computation of the commitments R of the witness device 

compute each commitment R by applying the process specified according to claim 1, 

the witness device has transmission means, hereinafter called the transmission means 

of the witness device, to transmit all or part of each commitment R to the 

demonstrator device through the interconnection means, 
25 the demonstrator device also has transmission means, hereinafter called the 

transmission means of the demonstrator, to transmit all or part of each commitment 

R to the controller device, through the connection means; 

° Steps 2 and 3: act of challenge d, act of response D 

the means of reception of the challenges d of the witness device receive each 
30 challenge d coming from the controller device through the connection means 
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between the controller device and the demonstrator device and through the 
interconnection means between the demonstrator device and the witness device, 
the means of computation of the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified according to 
5 claim 1, 

° Step 4: act of checking 
the transmission means of the demonstrator transmit each response D to the 
controller that carries out the check. 

13. Terminal device according to claim 11 5 designed to give proof to an 
10 entity, known as a controller, of the integrity of a message M associated with an 
entity known as a demonstrator, 

said terminal device being such that it comprises a demonstrator device associated 
with the demonstrator entity, said demonstrator device being interconnected with the 
witness device by interconnection means and being capable especially of taking the 
15 form of logic microcircuits in a nomad object, for example the form of a 
microprocessor in a microprocessor-based bank card, 

said demonstrator device comprising connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to the controller device associated with the controller 
20 entity, said controller device especially taking the form of a terminal or remote 
server; 

said terminal device being used to execute the following steps: 

° Step 1: act of commitment R 
at each call, the means of computation of the commitments R of the witness device 
25 compute each commitment R by applying the process specified according to claim 1 ; 
the witness device has means of transmission, hereinafter called the transmission 
means of the witness device, to transmit all or part of each commitment R to the 
demonstrator device through the interconnection means, 

° Steps 2 and 3: act of challenge d 9 act of response B 
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the demonstrator device comprises computation means, hereinafter called the 
computation means of the demonstrator, applying a hashing function h whose 
arguments are the message M and all or part of each commitment R to compute at 
least one token T, 

5 the demonstrator device also has transmission means, hereinafter known as the 
transmission means of the demonstrator device, to transmit each token T, through the 
connection means, to the controller device, 

(said controller, after having received the token T, produces challenges d in a 

number equal to the number of commitments R,) 
10 the means of reception of the challenges d of the witness device receive each 

challenge d coming from the controller device through the connection means 

between the controller device and the demonstrator device and through the 

interconnection means between the demonstrator device and the witness device, 

the means of computation of the responses D of the witness device compute the 
15 responses D from the challenges d by applying the process specified according to 

claim 1, 

° Step 4: act of checking 

the transmission means of the demonstrator send each response D to the controller 

device which performs the check. 
20 14. Terminal device according to claim 11, designed to produce the digital 

signature of a message M, hereinafter known as the signed message, by an entity 

called a signing entity; 

the signed message comprising: 
- the message M, 
25 - the challenges d and/or the commitments R, 

~ the responses D; 

said terminal device being sv di that it comprises a signing device associated with the 
signing entity, said signing device being interconnected with the witness device by 
interconnection means and possibly taking especially the form of logic microcircuits 
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in a nomad object, for example the form of a microprocessor in a microprocessor- 
based bank card, 

said demonstrator device comprising connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
5 communications network, to the controller device associated with the controller 
entity, said controller device especially taking the form of a terminal or remote 
server; 

Signing operation 

said terminal device being used to execute the following steps: 

10 * Step 1: act of commitment R 

at each call, the means of computation of the commitments R of the witness device 
compute each commitment R by applying the process specified according to claim 1, 
the witness device has means of transmission, hereinafter called the transmission 
means of the witness device, to transmit all or part of each commitment R to the 

15 signing device through the interconnection means, 
° Step 2: act of challenge d 
the signing device comprises computation means, hereinafter called the computation 
means of the signing device, applying a hashing function h whose arguments are the 
message M and all or part of each commitment R to compute a binary train and 

20 extract, from this binary trair, challenges d whose number is equal to the number of 
commitments R, 

° Step 3: act of response D 
the means for the reception of the challenges d of the witness device receive each 
challenge d coming from the signing device through the interconnection means, 

25 the means for computing the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified according to 
claim 1, 

the witness device comprises transmission means, hereinafter called means of 
transmission of the witness device, to transmit the responses D to the signing device, 
30 through the interconnection means. 
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15. Controller device especially taking the form of a terminal or remote 
server associated with a controller entity, designed to check: 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity 

by means of all or part of the following parameters or derivatives of these 
parameters: 

- m pairs of public values G l5 G 2 , ... G m (m being greater than or equal to 1), 

- a public modulus n constituted by the product of said f prime factors p l9 p 2 , 
... p f (f being greater than or equal to 2), unknown to the controller device and to the 
associated controller entity, 

- a public exponent v; 

said modulus, said exponent and said values being related by relations of the type 

Gj . Qj v = 1 . mod n or Gj = Qj V mod n . 
where Q { designates a private value, unknown to the controller device, associated 
with the public value Gj. 
said exponent v being such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value G { being the square g; 2 of a base number gj smaller than the f prime 
factors pi, p 2 , ... Pf, the base number gj being such that 
the two equations: 

x 2 = gi mod in and x 2 = - g s mod n 
cannot be resolved in x in the ring of integers modulo n and such that: 
the equation: 

x v = g^ mod n 
can be resolved in x in the ring of the integers modulo n. 

16. Controller device according to claim 15, designed to prove the 
authenticity of an entity called a demonstrator to an entity called a controller; 

said controller device comprising connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
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communications network, to a demonstrator device associated with the demonstrator 
entity; 

sid controller device being used to execute the following steps: 

° Steps 1 and 2: act of commitment R, act of challenge d 
5 said controller device also has means for the reception of all or part of the 
commitments R coming from the demonstrator device through the connection means, 
the controller device has challenge production means for the production, after 
receiving all or part of each commitment R, of the challenges d in a number equal to 
the number of commitments R, each challenge d comprising m integers dj 
10 hereinafter called elementary challenges. 

the controller device also has transmission means, hereinafter called transmission 
means of the controller, to transmit the challenges d to the demonstrator through the 
connection means; 

° Steps 3 and 4: act of response B, act of checking 
15 said controller device also comprises: 

- means for the reception of the responses D coming from the demonstrator 
device, through the connection means, 

- computation means, hereinafter called the computation means of the 
controller device, 

20 - comparison means, hereinafter called the comparison means of the 

controller device, 

case where the demonstrator has transmitted a part of each commitment R. 
if the reception means of the demonstrator have received a part of each commitment 
R, the computation means of the controller device, having m public values Gj, G 2 , 
25 G m , compute a reconstructed commitment R\ from each challenge d and each 

response D, this reconstructed commitment R' satisfying a relationship of the type 

R f s Gi dl • G 2 d2 . ... G m dm . D v mod n 
or a relationship of the type 

R' = DV/Gi dl . G 2 d2 . ... G m dm . mod n 
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the comparison means of the controller device compare each reconstructed 

commitment R' with all or part of each commitment R received, 

case where the demonstrator has transmitted the totality of each commitment 

R 

5 if the transmission means of the demonstrator have received the totality of each 
commitment R, the computation means and the comparison means of the controller 
device, having m public values Gj, Gj, G m , ascertain that each commitment R 
satisfies a relationship of the type 

R = Gj dl . G 2 d2 . ». G m dm . D v mod n 
10 or a relationship of the type 

R = D v /Gi dl . G 2 d2 . ... G m dm . mod n 
17. Controller device according to claim 15, designed to give proof to an 
entity, known as a controller, of the integrity of a message M associated with an 
entity known as a demonstrator, 
15 said controller device comprising connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to a demonstrator device associated with the demonstrator 
entity, 

said system enabling the execution of the following steps: 
20 o Steps 1 and 2: act of commitment R, act of challenge d 

said controller device also has means for the reception of tokens T coming from the 
demonstrator device through the connection means, 

the controller device has challenge production means for the production, after having 
received the token T, of the challenges d in a number equal to the number of 
25 commitments R, each challenge d comprising m integers d{, herein after called 
elementary challenges, 

the controller device also has transmission means, hereinafter called the transmission 
means of the controller, to transmit the challenges d to the demonstrator through the 
connection means; 
30 • Steps 3 and 4: act of response D, act of checking 
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- computation means, hereinafter called the computation means of the 
controller device, 

- comparison means, hereinafter called the comparison means of the 
controller device; 

5 * case where the controller device has commitments R, challenges d, responses D 
if the controller has commitments R, challenges d, responses O, 

° ° the computation and comparison means of the controller device ascertain 
that the commitments R, the challenges d and the responses D satisfy relationships of 
the type 

10 r = d dl . G 2 d2 . ... G m dm . D v mod n 

or relationships of the type: 

R s D v /Gj dl . G 2 d2 . ... G m dm . mod n 

° ° the computation and comparison means of the controller device ascertain 
that the message M, the challenges d and the commitments R satisfy the hashing 
1 5 function 

d = h (message, R) 
° case where the controller device has challenges d and responses D 
if the controller device has challenges d and responses D, 

° ° the computation means of the controller, on the basis of each challenge d 
20 and each response D, compute commitments R' satisfying relationships of the type 
R> = d dl . G 2 d2 . ... G m dm . O v mod n 
or relationships of the type: 

R> == D v /G! dl . G 2 d2 . ... G m dm . mod n 

° ° the computation and comparison means of the controller device ascertain 
25 that the message M and the challenges d satisfy the hashing function: 

d - h (message, R 5 ) 
° case where the controller device has commitments R and responses D 
if the controller device has commitments R and responses O, 

o • the computation means of the controller device apply the hashing function 
30 and compute d' such that 
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d f = h (message, R) 
• • the computation and comparison means of the controller device ascertain 
that the commitments R, the challenges d' and the responses D satisfy relationships 
of the type 

5 R = Gi d ' 1 . G 2 d ' 2 • ... G m d ' m . DV mod n 

or relationships of the type: 

R = D v /G! d '! . G 2 a ' 2 . .» G m d ' m . mod n 
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CLAIMS 

1 . Method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qi, Q 2 , ... Qm and public values d, G 2 , 
... G m , im being greater than or equal to 1 | , or of the parameters derived from these 
values, 

- a public modulus n constituted by the product of f prime factors p u p 2 , ... 
p f , f being greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the 
following type 

Gj . Qi Y = 1 . mod n or Gj = Q; v mod n; 
v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value Gj being the square g 2 of a base number g; smaller than the f 
prime factors p x , p 2 , ... p f ; the base number g; being such that the following two 
conditions are met: 
neither of the two equations: 

x 2 s g| mod n and x 2 = - gj mod n 
can be resolved in x in the ring of integers modulo in 
the equation: 

x v = g 2 mod n 
can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f 
prime factors p; and/or parameters of the Chinese remainders of the prime factors 
and/or the public modulus n and/or the m private values Q s and/or the f. m 
components Qi, j (Qi, j = Qi mod pj) of the private values Qjand of the public 
exponent v; 
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- the witness computes commitments R in the ring of the integers modulo n; 
each commitment being computed: 

° either by performing operations of the type: 

R s r v mod n 
5 where r is a random value such that 0 < r < n, 
° or 

° ° by performing operations of the type: 
Rj = r; v mod pj 

where r ; is a random value associated with the prime number Pi such that 0 < i*i< p i5 
10 each r§ belonging to a collection of random values {r x , r 2 , ... r f }, 

° ° then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising 
m integers d s hereinafter called elementary challenges; the witness, on the basis of 
each challenge d, computes a response D, 

15 ° either by performing operations of the type: 

D - r . Q, dl . Q 2 d2 . ... Q m dm mod n 

° or 

° ° by performing operations of the type: 

Di s r, . Q w dl . d2 . ... Q Um dm mod Pi 
20 o * and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d 
as there are commitments R, each group of numbers R, d, D forming a triplet 
referenced {R, d, D}. 

2. Method according to claim 1, designed to prove the authenticity of an 
25 entity known as a demonstrator to an entity known as the controller, said 
demonstrator entity comprising the witness; 

said demonstrator and controller entities executing the following steps: 
° Step 1: act of commitment R 

at each call, the witness computes each commitment R by applying the 
30 process specified in claim 1, 
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the demonstrator sends the controller all or part of each commitment R, 
° Step 2: act of challenge d 

- the controller, after having received all or part of each commitment R, 
produces challenges d whose number is equal to the number of commitments R and 
sends the challenges d to the demonstrator, 

° Step 3: act of response D 

- the witness computes the responses D from the challenges d by applying the 
process specified in claim 1, 

° Step 4: act of checking 

- the demonstrator sends each response D to the controller, 

case where the demonstrator has transmitted a part of each commitment R 
if the demonstrator has transmitted a part of each commitment R, the controller, 
having the m public values Gj, G 2 » G^, computes a reconstructed commitment 
R\ from each challenge d and each response D, this reconstructed commitment R f 
satisfying a relationship of the type 

R' = Gi dl . G 2 d2 . ». G m dm . DV mod n 
or a relationship of the type 

R f = D v /G! dl . G 2 d2 . ... G m dm . mod n 
the controller ascertains that each reconstructed commitment R f reproduces all or 
part of each commitment R that has been transmitted to it. 

case where the demonstrator has transmitted the totality of each commitment R 
if the demonstrator has transmitted the totality of each commitment R, the controller, 
having the m public values G\ 9 G 2 , G m , ascertains that each commitment R 
satisfies a relationship of the type 

R = Gi dl . G2 d2 . ... G m dm . D v mod n 
or a relationship of the type 

R = DV/Gi dl . G 2 d2 . ... G m dm . mod n 
3. Method according to claim 1, designed to provide proof to an entity, 
known as the controller entity, of the integrity of a message M associated with an 
entity called a demonstrator entity, said demonstrator entity comprising the witness; 
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said demonstrator and controller entities executing the following steps: 
° Step 1: act of commitment R 

- at each call, the witness computes each commitment R by applying the process 
specified according to claim 1, 

° Step 2: act of challenge d 

- the demonstrator applies a hashing function h whose arguments are the message M 
and all or part of each commitment R to compute at least one token T, 

- the demonstrator sends the token T to the controller, 

- the controller, after having received a token T, produces challenges d equal in 
number to the number of commitments R and sends the challenges d to the 
demonstrator, 

° Step 3: act of response D 

- the witness computes the responses D from the challenges d by applying the 
process specified according to claim 1 , 

° Step 4: act of checking 

- the demonstrator sends each response D to the controller, 

- the controller, having the m public values Gj, G2, G m , computes a 
reconstructed commitment R\ from each challenge d and each response D, this 
reconstructed commitment R' satisfying a relationship of the type 

R' = Gi dl . G2 d2 . ... G m dm . D v mod n 
or a relationship of the type 

R' = D v /Gi dl • G2 d2 . «. G m dm . miod n 

- then the controller applies the hashing function h whose arguments are the message 
M and all or part of each reconstructed commitment R' to reconstruct the token T ! , 

- then the controller ascertains that the token T f is identical to the token T 
transmitted. 

4. Method according to claim 1, designed to produce the digital signature of 
a message M by an entity known as the signing entity, said signing entity comprising 
the witness; 
Signing operation 
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said signing entity executes a signing operation in order to obtain a signed message 
comprising: 

- the message M, 

- the challenges d and/or the commitments R, 
5 - the responses D; 

said signing entity executes the signing operation by implementing the following 
steps: 

° Step 1: act of commitment R 

- at each call, the witness computes each commitment R by applying the process 
10 specified according to claim 1, 

° Step 2: act of challenge d 

- the signing party applies a hashing function h whose arguments are the message M 
and each commitment R to obtain a binary train, 

- from this binary train, the signing party extracts challenges d whose number is 
15 equal to the number of commitments R, 

° Step 3: act of response D 

- the witness computes the responses D from the challenges d by applying the 
process specified according to claim 1 . 

5. Method according to claim 4, designed to prove the authenticity of the 
20 message M by checking the signed message through an entity called a controller; 
Checking operation 

- said controller entity having the signed message executes a checking operation by 
proceeding as follows: 

° case where the controller has commitments R, challenges d, responses D 
25 if the controller has commitments R, challenges d, responses D, 

° ° the controller ascertains that the commitments R, the challenges d and the 
responses D satisfy relationships of the type 

R s Gi dl . G 2 d2 . ... G m dm . B v mod n 
or relationships of the type 
30 R = D v /Gi dl . G2 d2 . ... G m dm . mod n 
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• ° the controller ascertains that the message M, the challenges d and the 
commitments R satisfy the hashing function: 

d = h (message, R) 
° case where the controller has challenges d and responses D 
if the controller has challenges d and responses D, 

° ° the controller reconstructs, on the basis of each challenge d and each 
response D, commitments R' satisfying relationships of the type 

R' = Gi dl . G 2 d2 . .» G m dm . D v mod n 
or relationships of the type: 

R' = D v /Gi dl . G2 d2 . ... G m dm . mod n 

o o the controller ascertains that the message M and the challenges d satisfy 
the hashing function: 

d = h (message, R 1 ) 
° case where the controller has commitments R and responses D 
if the controller has commitments R and responses O, 

° ° the controller applies the hashing function and reconstructs d' 
d f = h (message, R) 

° ° the controller device ascertains that the commitments R, the challenges d' 
and the responses D satisfy relationships of the type 

RsGi d' 1 . G 2 d ' 2 . ... G m d ' m . D v mod n 
or relationships of the type: 

R = D v /Gj d ' 1 . G 2 d ' 2 . ... G m d ' m . mod n 

6. A system designed to prove, to a controller server, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 
by means of: 

- m pairs of private values Qi, Q 2 , ... Q m and public values Gi, G 2 , ... G m , m 
being greater than or equal to 1, or parameters derived from these values, 

- a public modulus n constituted by the product of said f prime factors p u p 2 , 
. p f , f being greater than or equal to 2, 



52 



said modulus and said values being linked by relations of the type 

Gj . Qj v = 1 . mod n or Gj = Q* mod n . 
v designating a public exponent such that 

v-2 k 

where k is a security parameter greater than 1 ; 

said public value G { being the square g ; 2 of the base number gj smaller than the 
f prime factors pi, p 2 , Pf, the base number gj being such that the following 
conditions are met: 

neither of the two equations: 

x 2 = gj mod n and x 2 = - g t mod n 
can be resolved in x in the ring of integers modulo n 
the equation: 

x v = gj 2 mod n 
can be resolved in x in the ring of the integers modulo n; 

said system comprises a witness device, contained especially in a nomad object 
which, for example, takes the form of a microprocessor-based bank card, 
the witness device comprises 

- a memory zone containing the f prime factors pi and/or the parameters of the 
Chinese remainders of the prime factors and/or the public modulus in and/or the m 
private values Qj and/or ff.m components Q if j (Q if j s Qj mod pj) of the private values 
Qi and of the public exponent v; 

said witness device also comprises: 

- random value production means, hereinafter called random value production 
means of the witness device, 

- computation mean? ; hereinafter called means for the computation of 
commitments R of the witness device, to compute commitments R in the ring of 
integers modulo n; each commitment being computed: 

° either by performing operations of the type: 

R = r v mod n 

where r is a random value produced by the random value production means, r being 
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such that 0 < r < n, 

° or by performing operations of the type: 

Ri = r s v mod p k 

where rjis a random value associated with the prime number pi such that 0 < *•;< p i5 
each r t belonging to a collection of random values {n , r 2 , ... r f }, then by applying 
the Chinese remainder method; 
said witness device also comprises: 

- reception means hereinafter called the means for the reception of the 
challenges d of the witness device, to receive one or more challenges d; each 
challenge d comprising m integers d t hereinafter called elementary challenges; 

- computation means, hereinafter called means for the computation of the 
responses D of the witness device for the computation, on the basis of each challenge 
d, of a response D, 

° either by performing operations of the type: 

D = r . Q, dl . Q 2 d2 . ... Q m dm mod n 
° or by performing operations of the type: 

Di = r s . Q M dl . Qi, 2 d2 .-. Qi, m dm mod Pi 
and then by applying the Chinese remainder method. 

- transmission means to transmit one or more commitments R and one or 
more responses D; 

there are as many responses D as there are challenges d as there are commitments R, 
each group of numbers R, d 5 D forming a triplet referenced {R 9 d, D}. 

7. A system according to claim 6, designed to prove the authenticity of an 
entity called a demonstrator and an entity called a controller, 
said system being such that it comprises: 

- a demonstrator device associated with the demonstrator entity, said 
demonstrator device being interconnected with the witness device by interconnection 
means and possibly taking the form especially of logic microcircuits in a nomad 
object, for example the form of a microprocessor in a microprocessor-based bank 
card, 
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- a controller device associated with the controller entity, said controller 
device especially taking the form of a terminal or remote server, said controller 
device comprising connection means for its electrical, electromagnetic, optical or 
acoustic connection, especially through a data-processing communications network, 
5 to the demonstrator device; 

said system enabling the execution of the following steps: 

° Step 1: act of commitment R 
at each call, the means of computation of the commitments R of the witness device 
compute each commitment R by applying the process specified according to claim 1, 
10 the witness device has means of transmission, hereinafter called the transmission 
means of the witness device, to transmit all or part of each commitment R to the 
demonstrator device through the interconnection means, 

the demonstrator device also has transmission means, hereinafter called the 

transmission means of the demonstrator, to transmit all or part of each commitment 
15 R to the controller device through the connection means; 
° Step 2: act of challenge d 

the controller device comprises challenge production means for the production, after 

receiving all or part of each commitment R, of the challenges d equal in number to 

the number of commitments R, 
20 the controller device also has transmission means, hereinafter known as the 

transmission means of the controller, to transmit the challenges d to the demonstrator 

through the connection means. 

° Step 3: act of response D 

the means of reception of the challenges d of the witness device receive each 
25 challenge d coming from the demonstrator device through the interconnection 

means, 

the means of computation of the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified according to 
claim 1, 

30 ° Step 4: act of checking 
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the transmission means of the demonstrator transmit each response O to the 
controller, 

the controller device also comprises: 

- computation means, hereinafter called the computation means of the 
controller device, 

- comparison means, hereinafter called the comparison means of the 
controller device, 

case where the demonstrator has transmitted a part of each commitment R. 
if the transmission means of the demonstrator have transmitted a part of each 
commitment R, the computation means of the controller device, having m public 
values Gj, G 2 , ...» G m , compute a reconstructed commitment R\ from each 
challenge d and each response B, this reconstructed commitment R f satisfying a 
relationship of the type 

R f = Gi dl . G 2 d2 . ». G m dm . O v mod n 
or a relationship of the type 

R' = D v /Gi dl . G 2 d2 . ... G m dm . mod n 
the comparison means of the controller device compare each reconstructed 
commitment R f with all or p^rt of each commitment R received, 
case where the demonstrator has transmitted the totality of each commitment 
R 

if the transmission means of the demonstrator have transmitted the totality of each 
commitment R, the computation means and the comparison means of the controller 
device, having m public values G\ 9 G 2 , G m , ascertain that each commitment R 
satisfies a relationship of the type 

R = Gi dl . G 2 d2 . ... G m dm . D v mod n 
or a relationship of the type 

R = D v /Gi dl . G 2 d2 . ... G m dm . mod n 
8. System according to claim 6, designed to give proof to an entity, known as 
a controller, of the integrity of a message M associated with an entity known as a 
demonstrator, 
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said system being such that it comprises 

- a demonstrator device associated with the demonstrator entity, said 
demonstrator device being interconnected with the witness device by interconnection 
means and possibly taking the form especially of logic microcircuits in a nomad 

5 object, for example the form of a microprocessor in a microprocessor-based bank 
card, 

- a controller device associated with the controller entity, said controller 
device especially taking the form of a terminal or remote server, said controller 
device comprising connection means for its electrical, electromagnetic, optical or 

10 acoustic connection, especially through a data-processing communications network, 
to the demonstrator device; 

said system enabling the execution of the following steps: 

° Step 1: act of commitment R 
at each call, the means of computation of the commitments R of the witness device 
15 compute each commitment R by applying the process specified in claim 1 

the witness device has transmission means, hereinafter called transmission means of 
the witness device, to transmit all or part of each commitment R to the demonstrator 
device through the interconnection means, 

° Step 2: act of challenge d 
20 the demonstrator device comprises computation means, hereinafter called the 
computation means of the demonstrator, applying a hashing function h whose 
arguments are the message M and all or part of each commitment R to compute at 
least one token T, 

the demonstrator device aire has transmission means, hereinafter known as the 
25 transmission means of the demonstrator device, to transmit each token T through the 
connection means to the controller device, 

the controller device also has challenge production means for the production, after 
having received the token T, of the challenges d in a number equal to the number of 
commitments R, 
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the controller device also has transmission means, hereinafter called the transmission 
means of the controller, to transmit the challenges d to the demonstrator through the 
connection means; 

* Step 3: act of response D 
the means of reception of che challenges d of the witness device receive each 
challenge d coming from the demonstrator device through the interconnection 
means, 

the means of computation of the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified according to 
claim 1, 

° Step 4: act of checking 
the transmission means of the demonstrator transmit each response D to the 
controller, 

the controller device also comprises computation means, hereinafter called the 
computation means of the controller device, having m public values Gj 5 G2, G m , 
to firstly compute a reconstructed commitment R\ from each challenge d and each 
response D, this reconstructed commitment R' satisfying a relationship of the type 

r» = d dl . G 2 d2 . ... G m dm # D v mod n 
or a relationship of the type 

R' » DV/Gi dl . G 2 d2 . G m d m . mod n 
then, secondly, compute a token T 1 by applying the hashing function h having as 
arguments the message M and all or part of each reconstructed commitment R\ 
the controller device also has comparison means, hereinafter known as the 
comparison means of the controller device, to compare the computed token TP with 
the received token T. 

9. System according to claim 6, designed to produce the digital signature of a 
message M, hereinafter known as the signed message, by an entity called a signing 
entity; 

the signed message comprising: 
- the message IVI, 
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- the challenges d and/or the commitments R, 

- the responses D; 
Signing operation 

said system being such that it comprises a signing device associated with the signing 
5 entity, said signing device being interconnected with the witness device by 
interconnection means and possibly taking the form especially of logic microcircuits 
in a nomad object, for example the form of a microprocessor in a microprocessor- 
based bank card, 

said system enabling the execution of the following steps: 

10 * Step 1: act of commitment R 

at each call, the means of computation of the commitments R of the witness device 
compute each commitment R by applying the process specified according to claim 1, 
the witness device has means of transmission, hereinafter called the transmission 
means of the witness device, to transmit all or part of each commitment R to the 

15 demonstrator device through the interconnection means, 
° Step 2: act of challenge d 
the signing device comprises computation means, hereinafter called the computation 
means of the signing device, applying a hashing function h whose arguments are the 
message M and all or part of each commitment R to compute a binary train and 

20 extract, from this binary train, challenges d whose number is equal to the number of 
commitments R, 

° Step 3: act of response D 
the means for the reception of the challenges d of the witness device receive each 
challenge d coming from the signing device through the interconnection means, 

25 the means for computing the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified according to 
claim 1, 

the witness device comprises transmission means, hereinafter called means of 
transmission of the witness device, to transmit the responses D to the signing device 
30 through the interconnection means. 
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10. System according to claim 9, designed to prove the authenticity of the 
message M by checking the signed message by means of an entity called the 
controller; 

Checking operation 

the system being such that it comprises a controller device associated with the 
controller entity, said controller device especially taking the form of a terminal or 
remote server, said controller device comprising connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to the signing device; 

the signing device associated with the signing entity comprises transmission means, 
hereinafter known as the transmission means of the signing device, for the 
transmission, to the controller device, of the signed message through the connection 
means, in such a way that the controller device has a signed message comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D; 

the controller device comprises: 

- computation means hereinafter called the computation means of the 
controller device, 

- comparison means, hereinafter called the comparison means of the 
controller device. 

° case where the controller device has commitments R, challenges d, responses D 
if the controller has commitments R, challenges d, responses D, 

° ° the computation and comparison means of the controller device ascertain 
that the commitments R, the challenges d and the responses D satisfy relationships of 
the type 

R = Gj dl . G 2 d2 . .« G m dm . D v mod n 
or relationships of the type: 

R = D v /Gi dl . G2 d2 . G m dm . mod n 
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° ° the computation and comparison means of the controller device ascertain 
that the message M, the challenges d and the commitments R satisfy the hashing 
function: 

d = h (message, R) 
° case where the controller device has challenges d and responses D 
if the controller device has challenges d and responses D, 

° ° the computation means of the controller, on the basis of each challenge d 
and each response O, compute commitments R 9 satisfying relationships of the type 

R 9 = Gf dl . G 2 d2 • ». G m dm . D v mod n 
or relationships of the type: 

R 9 = DV/Gi dl • G 2 42 . .» G m dm . mod n 

° ° the computation and comparison means of the controller device ascertain 
that the message M and the challenges d satisfy the hashing function: 

d = h (message, R 9 ) 
° case where the controller device has commitments R and responses D 
if the controller device has commitments R and responses O, 

° ° the computation means of the controller device apply the hashing function 
and compute d 9 such that 

d f = h (message, R) 

° ° the computation and comparison means of the controller device ascertain 
that the commitments R, the challenges d 9 and the responses D satisfy relationships 
of the type 

R = Gi d ' 1 . G 2 d ' 2 . «. G m d ' m • D v mod n 
or relationships of the type: 

R = D v /Gj d ' 1 . G 2 d ' 2 . G m d ' m . mod n 

11. A terminal device associated with an entity, taking the form especially of 
a nomad object, for example the form of a microprocessor in a microprocessor-based 
bank card, designed to prove to a controller server: 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity; 
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by means of : 

- m pairs of private values Q H Q 2 , ... Q m and public values Gj, G 2 , ... G m , m 
being greater than or equal to 1, or parameters derived from these values, 

- a public modulus n constituted by the product of said f prime factors p t , p 2 , 
... p f (f being greater than or equal to 2), 

said modulus and said values being related by relations of the type 

Gj . Qj v = 1 . mod n or Gj = Q; v mod n . 
v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 . 

said public value G ; being the square gj 2 of the base number g; smaller than the f 
prime factors pi, p 2l ... Pf, the base number gj being such that: 

neither of the two equations: 

x 2 = g; mod n and x 2 s - g ; mod n 
can be resolved in x in the ring of integers modulo n 

the equation: 

x v = g 2 mod n 
can be resolved in x in the ring of the integers modulo n. 
said terminal device comprises a witness device comprising, 

- a memory zone containing the f prime factors pi and/or the parameters of the 
Chinese remainders of the prime factors and/or the public modulus n and/or the m 
private values Q s and/or f.m components j (Qj, j = Qj imod pj) of the private values 
Qi and of the public exponent v. 

said witness device also comprises: 

- random value production means, hereinafter called random value production 
means of the witness device, 

- computation means, hereinafter called means for the computation of 
commitments R of the witness device, to compute commitments R in the ring of the 
integers modulo n; each commitment being computed: 

° either by performing operations of the type: 
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R ^ r v mod n 

where r is a random value produced by the random value production means, r being 
such that 0 < r< n, 

° or by performing operations of the type: 

R s = Ti v mod pi 

where r { is a random value associated with the prime number p { such that 0 < r s < p b 
each Tj belonging to a collection of random values {r x , r 2 , ... r f } produced by the 
random value production means, then by applying the Chinese remainder method; 
said witness device also comprises: 

- reception means hereinafter called the means for the reception of the 
challenges d of the witness device, to receive one or more challenges d; each 
challenge d comprising m integers d s hereinafter called elementary challenges; 

- computation means, hereinafter called means for the computation of the 
responses D of the witness device, for the computation, on the basis of each 
challenge d, of a response D, 

° either by performing operations of the type: 

D = r . Qj dl . Q 2 d2 . ... Q m dm mod n 
° or by performing operations of the type: 

Di = r s . Q u dl . Qi, 2 d2 . ... Qi, ra dm mod Pi 
and then by applying the Chinese remainder method, 

- transmission means to transmit one or more commitments R and one or 
more responses D; 

there are as many responses D as there are challenges d as there are commitments R, 
each group of numbers R, d, D forming a triplet referenced {R, d, D}. 

12. A terminal device according to claim 11, designed to prove the 
authenticity of an entity called a demonstrator to an entity called a controller, 
said terminal device being such that it comprises a demonstrator device associated 
with the demonstrator entity, said demonstrator device being interconnected with the 
witness device by interconnection means and being capable especially of taking the 
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form of logic microcircuits in a nomad object, for example the form of a 
microprocessor in a microprocessor-based bank card, 

said demonstrator device also comprising connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to the controller device associated with the controller 
entity, said controller device especially taking the form of a terminal or remote 
server; 

said terminal device enabling the execution of the following steps: 

° Step 1: act of commitment R 
at each call, the means of computation of the commitments R of the witness device 
compute each commitment R by applying the process specified according to claim 1, 
the witness device has transmission means, hereinafter called the transmission means 
of the witness device, to transmit all or part of each commitment R to the 
demonstrator device through the interconnection means, 

the demonstrator device also has transmission means, hereinafter called the 
transmission means of the demonstrator, to transmit all or part of each commitment 
R to the controller device, through the connection means; 

° Steps 2 and 3: act of challenge d, act of response D 
the means of reception of the challenges d of the witness device receive each 
challenge d coming from the controller device through the connection means 
between the controller device and the demonstrator device and through the 
interconnection means between the demonstrator device and the witness device, 
the means of computation of the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified according to 
claim 1, 

° Step 4: act of checking 
the transmission means of the demonstrator transmit each response O to the 
controller that carries out the check. 
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13. Terminal device according to claim 11, designed to give proof to an 
entity, known as a controller, of the integrity of a message M associated with an 
entity known as a demonstrator, 

said terminal device being such that it comprises a demonstrator device associated 
with the demonstrator entity, said demonstrator device being interconnected with the 
witness device by interconnection means and being capable especially of taking the 
form of logic microcircuits in a nomad object, for example the form of a 
microprocessor in a microprocessor-based bank card, 

said demonstrator device comprising connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to the controller device associated with the controller 
entity, said controller device especially taking the form of a terminal or remote 
server; 

said terminal device being used to execute the following steps: 

° Step 1: act of commitment R 
at each call, the means of computation of the commitments R of the witness device 
compute each commitment R by applying the process specified according to claim 1; 
the witness device has means of transmission, hereinafter called the transmission 
means of the witness device, to transmit all or part of each commitment R to the 
demonstrator device through the interconnection means, 

° Steps 2 and 3: act of challenge d, act of response D 
the demonstrator device comprises computation means, hereinafter called the 
computation means of the demonstrator, applying a hashing function h whose 
arguments are the message M and all or part of each commitment R to compute at 
least one token T, 

the demonstrator device also has transmission means, hereinafter known as the 
transmission means of the demonstrator device, to transmit each token T, through the 
connection means, to the controller device, 

said controller, after having received the token T, produces challenges d equal in 
number to the number of commitments R, 
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the means of reception of the challenges d of the witness device receive each 

challenge d coming from the controller device through the connection means 

between the controller device and the demonstrator device and through the 

interconnection means between the demonstrator device and the witness device, 
5 the means of computation of the responses D of the witness device compute the 

responses D from the challenges d by applying the process specified according to 

claim 1, 

° Step 4: act of checking 

the transmission means of the demonstrator send each response D to the controller 
10 device which performs the check. 

14. Terminal device according to claim 11, designed to produce the digital 

signature of a message M, hereinafter known as the signed message, by an entity 

called a signing entity; 

the signed message comprising: 
15 - the message M, 

- the challenges d and/or the commitments R, 

- the responses D; 

said terminal device being such that it comprises a signing device associated with the 
signing entity, said signing device being interconnected with the witness device by 
20 interconnection means and possibly taking especially the form of logic microcircuits 
in a nomad object, for example the form of a microprocessor in a microprocessor- 
based bank card, 

said demonstrator device comprising connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
25 communications network, to the controller device associated with the controller 
entity, said controller device especially taking the form of a terminal or remote 
server; 

Signing operation 

said terminal device being used to execute the following steps: 
30 ° Step 1: act of commitment R 
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at each call, the means of computation of the commitments R of the witness device 
compute each commitment R by applying the process specified according to claim 1, 
the witness device has means of transmission, hereinafter called the transmission 
means of the witness device, to transmit all or part of each commitment R to the 
signing device through the interconnection means, 

° Step 2: act of challenge d 
the signing device comprises computation means, hereinafter called the computation 
means of the signing device, applying a hashing function h whose arguments are the 
message M and all or part of each commitment R to compute a binary train and 
extract, from this binary train, challenges d whose number is equal to the number of 
commitments R, 

° Step 3: act of response D 
the means for the reception of the challenges d of the witness device receive each 
challenge d coming from the signing device through the interconnection means, 
the means for computing the responses D of the witness device compute the 
responses D from the challenges d by applying the process specified according to 
claim 1, 

the witness device comprises transmission means, hereinafter called means of 
transmission of the witness device, to transmit the responses D to the signing device, 
through the interconnection means. 

15. Controller device especially taking the form of a terminal or remote 
server associated with a controller entity, designed to check: 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity 
by means of: 

- m pairs of public values G !9 G 2 , ... G m , m being greater than or equal to 1, 

- a public modulus n constituted by the product of said f prime factors p u p 2 , 
... p f , f being greater than or equal to 2, unknown to the controller device and to the 
associated controller entity, 

said modulus and said values being related by relations of the type 
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Gj - Qj v = 1 . mod n or G| = mod n . 
where Q ; designates a private value, unknown to the controller device, associated 
with the public value Gj. 
v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1; 

said public value G; being the square gj 2 of a base number & smaller than the f prime 
factors pi, p 2 , ... p f , the base number g; being such that the following conditions are 
met: 

neither of the two equations: 

x 2 = gj mod n and x 2 = - g t mod n 
can be resolved in x in the ring of integers modulo n 
the equation: 

x v = g 2 mod n 

can be resolved in x in the ring of the integers modulo n. 

16. Controller device according to claim 15, designed to prove the 
authenticity of an entity called a demonstrator to an entity called a controller; 
said controller device comprising connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
communications network, to a demonstrator device associated with the demonstrator 
entity; 

sid controller device being used to execute the following steps: 

° Steps 1 and 2: act of commitment R, act of challenge d 
said controller device also has means for the reception of all or part of the 
commitments R coming from the demonstrator device through the connection means, 
the controller device has challenge production means for the production, after 
receiving all or part of each commitment R, of the challenges d in a number equal to 
the number of commitments R, each challenge d comprising m integers dj 
hereinafter called elementary challenges. 
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the controller device also has transmission means, hereinafter called transmission 
means of the controller, to transmit the challenges d to the demonstrator through the 
connection means; 

° Steps 3 and 4: act of response D, act of checking 
said controller device also comprises: 

- means for the reception of the responses D coming from the demonstrator 
device, through the connection means, 

- computation means, hereinafter called the computation means of the 
controller device, 

- comparison mean:, hereinafter called the comparison means of the 
controller device, 

case where the demonstrator has transmitted a part of each commitment R. 

if the reception means of the demonstrator have received a part of each commitment 
R, the computation means of the controller device, having m public values Gj, G 2 , 
G m , compute a reconstructed commitment R\ from each challenge d and each 
response D, this reconstructed commitment R f satisfying a relationship of the type 

R' = Gi dl . G 2 d2 . .» G m dm . O v mod n 
or a relationship of the type 

R f = BVGi d l . G 2 d2 . ... G m d m . mod n 
the comparison means of the controller device compare each reconstructed 
commitment R f with all or part of each commitment R received, 



